-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathhaproxy.cfg
69 lines (59 loc) · 3.21 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
global
log stdout format raw local0 info
maxconn 4096
maxpipes 1024
# ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES 256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
# ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
# ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m
user haproxy
# Runtime API
stats socket :9999 level admin expose-fd listeners
defaults
# standard default settings...
log global
mode http
option httplog
timeout client 660000ms
timeout server 660000ms
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
maxconn 4096
option forwardfor
option http-server-close
option redispatch
retries 3
timeout connect 5000
frontend frontend_keycloak
bind *:80
http-request capture req.hdr(Host) len 20
http-request capture req.hdr(X-Forwarded-Host) len 20
http-request capture req.hdr(IAM-CLIENT-HOST) len 20
# allow 'auth' request to go straight through to Keycloak
#http-request allow if { path_beg /auth/ }
#use_backend keycloak if { path_beg /auth/ }
default_backend keycloak
backend keycloak
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
acl iam_client_host req.hdr(IAM-CLIENT-HOST) -m found
http-request del-header X-Forwarded-Host if iam_client_host
http-request add-header X-Forwarded-Host %[req.hdr(IAM-CLIENT-HOST)] if iam_client_host
acl iam_client_port req.hdr(IAM-CLIENT-PORT) -m found
http-request del-header X-Forwarded-Port if iam_client_port
http-request add-header X-Forwarded-Port %[req.hdr(IAM-CLIENT-PORT)] if iam_client_port
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } forwarded_proto
timeout check 300
option httpchk GET "/auth/" "HTTP/1.0"
# option httpchk GET "/auth/realms/master/health/check/infinispan" "HTTP/1.0"
cookie AUTH_SESSION_ID prefix
mode http
server keycloak1 keycloak1:8080 check
server keycloak2 keycloak2:8080 check