-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy.cfg
96 lines (83 loc) · 3.49 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# SPDX-License-Identifier: BSD-2-Clause
# Copyright (c) 2020, Robin H. Johnson <[email protected]>
# Copyright (c) 2020, DigitalOcean
#
# Significant usage example for health.lua
global
maxconn 100
#log /dev/log local0
log stdout len 65535 format rfc5424 daemon debug
stats socket /var/run/haproxy.sock level admin
lua-load health.lua
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
log global
mode http
option httplog
maxconn 3000
frontend default
bind :9008 transparent
bind [::]:9008 transparent # IPv6 bind
# These headers are just to help you debugging
# TODO: DISABLE IN PRODUCTION!!!
http-response add-header X-src %[src]
http-response add-header X-dst %[dst]
acl health_ANY path -m beg /health/
# What IPs are permitted?
# Permit anything on local network:
acl health_permitted src 127.0.0.0/8
acl health_permitted src ::1
# Permit anything where the source & destination are identical
# Works for both IPv4 & IPv6
http-request set-var(sess.src) src
acl health_permitted dst,strcmp(sess.src) eq 0
# Usual check point:
acl health_check path -m str /health/check
# Special cases if you want to force an output:
acl health_force_up path -m str /health/force-up
acl health_force_ready path -m str /health/force-ready
acl health_force_down path -m str /health/force-down
acl health_force_drain path -m str /health/force-drain
acl health_force_maint path -m str /health/force-maint
# Deny unauthorized access to healthcheck
# This will be logged!
http-request deny if health_ANY !health_permitted
http-request set-log-level warning if health_ANY !health_permitted
# Make normal access to healthcheck silent, so it does not spam logs
http-request set-log-level silent if health_ANY health_permitted
# Forced states
http-request use-service lua.health_up if health_force_up health_permitted
http-request use-service lua.health_ready if health_force_ready health_permitted
http-request use-service lua.health_down if health_force_down health_permitted
http-request use-service lua.health_drain if health_force_drain health_permitted
http-request use-service lua.health_maint if health_force_maint health_permitted
# Actual check example:
# 1. If the sysadmin created a maint flag, return that
# ("echo 1 >haproxy_maint.acl && reload haproxy")
# ("echo 0 >haproxy_maint.acl && reload haproxy")
acl haproxy_maint str(1) -m int -f haproxy_maint.acl
http-request use-service lua.health_maint if health_check health_permitted haproxy_maint
# 2. If HAProxy is stopping, return a DRAIN state
acl haproxy_drain str(1) -m int -f haproxy_drain.acl
acl haproxy_drain stopping eq 1
http-request use-service lua.health_drain if health_check health_permitted haproxy_drain
# 3. If the backend is up, return up
acl be_web_servers_up nbsrv(web_servers) gt 0
http-request use-service lua.health_up if health_check health_permitted be_web_servers_up
# 4. If the backend is down, return down
http-request use-service lua.health_down if health_check health_permitted #!be_web_servers_up
# Normal codepath:
default_backend web_servers
backend web_servers
balance roundrobin
option httpchk HEAD /
default-server check maxconn 20
server server1 127.0.0.1:8000
#listen stats
# bind *:8404
# stats enable
# stats uri /monitor
# stats refresh 5s
# vim:et ts=4 sts=4: