aboutsummaryrefslogtreecommitdiffstats
path: root/resources/config/haproxy
diff options
context:
space:
mode:
Diffstat (limited to 'resources/config/haproxy')
-rw-r--r--resources/config/haproxy/aai.pem82
-rw-r--r--resources/config/haproxy/haproxy-pluggable-security.cfg138
-rw-r--r--resources/config/haproxy/haproxy.cfg138
3 files changed, 358 insertions, 0 deletions
diff --git a/resources/config/haproxy/aai.pem b/resources/config/haproxy/aai.pem
new file mode 100644
index 0000000..e6dfd6a
--- /dev/null
+++ b/resources/config/haproxy/aai.pem
@@ -0,0 +1,82 @@
+-----BEGIN CERTIFICATE-----
+MIIFATCCA+mgAwIBAgIIWY+5kgf/UH8wDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
+BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp
+bnRlcm1lZGlhdGVDQV85MB4XDTE5MDMyNjAzMjc1MloXDTIwMDMyNjAzMjc1Mlow
+azERMA8GA1UEAwwIYWFpLm9uYXAxDzANBgkqhkiG9w0BCQEWADEZMBcGA1UECwwQ
+YWFpQGFhaS5vbmFwLm9yZzEOMAwGA1UECwwFT1NBQUYxDTALBgNVBAoMBE9OQVAx
+CzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuyZj
+PvQrgB2bhyE3kpSH6OjXigs/+MfmV4eOrEwmMzQ1lWjItu2z5WY9xNGCky85G3Pr
+qmCfT/qNPXd0W5kEujYlL0QnvrCa77WP3kSSu0kMKdUJV3S90Rp1SOhGFU/WroAQ
+XvlzyBCunqQ9/F/L6mS8dLotUbkGIQlojAYOukWOT/+ogMMxzpxtb91QR+Wl4YeY
+yzX//0rls/6nEKzCh2STHJuTkXqL0kod+KY08unpvMX2J/SEeHdWLS8Gsuus6oqM
+r4bFyquua/U1ApxEMn0/agY58V75dF5CRPJRYrqqf9I6DBr0SntHv6pzMhokjewl
+ukkrEsvIOkqEvIcE+QIDAQABo4IByzCCAccwCQYDVR0TBAIwADAOBgNVHQ8BAf8E
+BAMCBeAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFQGA1UdIwRN
+MEuAFIH3mVsQuciM3vNSXupOaaBDPqzdoTCkLjAsMQ4wDAYDVQQLDAVPU0FBRjEN
+MAsGA1UECgwET05BUDELMAkGA1UEBhMCVVOCAQcwHQYDVR0OBBYEFFziBN1nFOnS
+Sp7XkxOuzVNR1GFLMIIBEQYDVR0RBIIBCDCCAQSCCGFhaS5vbmFwghJhYWktc3Bh
+cmt5LWJlLm9uYXCCG2FhaS5hcGkuc2ltcGxlZGVtby5vbmFwLm9yZ4IlYWFpLmVs
+YXN0aWNzZWFyY2guc2ltcGxlZGVtby5vbmFwLm9yZ4IlYWFpLmdyZW1saW5zZXJ2
+ZXIuc2ltcGxlZGVtby5vbmFwLm9yZ4IdYWFpLmhiYXNlLnNpbXBsZWRlbW8ub25h
+cC5vcmeCJWFhaS5zZWFyY2hzZXJ2aWNlLnNpbXBsZWRlbW8ub25hcC5vcmeCF2Fh
+aS5zaW1wbGVkZW1vLm9uYXAub3JnghphYWkudWkuc2ltcGxlZGVtby5vbmFwLm9y
+ZzANBgkqhkiG9w0BAQsFAAOCAQEAlqwzbZv/0uxVPmFJMB2t5B2nw3GNojLwxnHh
+UVKzrLbDDpM36CkY8uX9kYAaf/Eg8eA5Jp0T9lGCheg0TNHM9OBqyyvDPjewZ5jO
+N0xooRs7gh4bYtQaWIjCOg6bXg+mHkW4VVbpewMJYivGpJZQ76LauuHtg1OA688s
+fy4SGrbC902OoPZ8zJlINOyljqSa+uNwvv6bg9Iqnuq/jUaFpKOYVUkMzw/ImVzy
+3kXH/hY+nz4FNvMPlULgwxskOBRp90a5VWBC48cNzg4aNtanVz6lPAr/AVD1R6jt
+ZDEd3Ww8nTlRKjUryxgoorqo8ThctZscWBpHMRW4B/LgGEYtRA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB
+RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN
+MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG
+A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL
+neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d
+o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3
+nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV
+v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO
+15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw
+gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV
+M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/
+BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q
+ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl
+u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+
++pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/
+QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht
+8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX
+kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3
+aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky
+uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w
+tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep
+BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAuyZjPvQrgB2bhyE3kpSH6OjXigs/+MfmV4eOrEwmMzQ1lWjI
+tu2z5WY9xNGCky85G3PrqmCfT/qNPXd0W5kEujYlL0QnvrCa77WP3kSSu0kMKdUJ
+V3S90Rp1SOhGFU/WroAQXvlzyBCunqQ9/F/L6mS8dLotUbkGIQlojAYOukWOT/+o
+gMMxzpxtb91QR+Wl4YeYyzX//0rls/6nEKzCh2STHJuTkXqL0kod+KY08unpvMX2
+J/SEeHdWLS8Gsuus6oqMr4bFyquua/U1ApxEMn0/agY58V75dF5CRPJRYrqqf9I6
+DBr0SntHv6pzMhokjewlukkrEsvIOkqEvIcE+QIDAQABAoIBAEe1OrvJZM2PCqOp
+N5jjbnvwk32iN93EAl8xYppkBxMBgzJ/VsC4rYBNP4elWym4I2KAdSDwKrrDXtDZ
+b20VYXlT+8VzkOMA2izU3Y4lqi82mwGATjcDVSPExoGr9gZ+c9yi1yL8478ZnT7N
+4a5Mql5iQM9c8rZodY+9AiD8xTHbgXbaGmBsDhTxT/HPDsoacR/SHMh3XowbhAcs
+eXAe+NdDtLcG6WOEqi/EhkagkWvsecIBoy888Ffbxa5h/DLEaCCoC3Dw1tWFX8KM
+86sC9sQKDVRVKpKs2/9MGl9LoPi9jNDrOP6/Zx3T4k479ozGp/0G70LzmUcih72j
+MUbr4f0CgYEA/AV0yOLZh0i2K53jpv3e8RDJkOBFuLb0ZZVdGkVYHncw9/WY070E
+TJi0B51RAJtdSksAWa6o+1+VaJKQHtMZpABwMWDMRQUqdC+o+knONRpdCHwxXnSl
+gvujFyYJhURKDr42z0xjbQrHaEZRuVJ6tzJQhFtE66G01ngREhDPbUsCgYEAvhrB
+A/IOQpPaHcfU2ik80VE0KU9N4Ez50ZlheEbBDVTrMWzuFy8p9niNSfDKC7s5aqlP
+DgDvTD80D8Zw6+yT/aDU5iEf5vMdKc1pnlr8jJoCNSvuyJZ40kDSehsBOKC+YN3g
+b6xaYWIcH3mwwoLZO9XFsN5KAg/dSMJED8AGAEsCgYAduMMCIgbHdqLNWAyOGCif
+w3wSEvEGDMWb6VaWj5EJ3sKuq48/gW4tXmD0+O+ho7EH3vqGmRuisa4cLBTFHd5L
+QiX5HNJaXXaZRzmlcujXyGkqZAMqgZU3clfUlg7PYbNeM76hCgA7zuaffJOMyJZi
+XpOyWFUzeNmr5XMV71eXKwKBgEtgzFvGJMVdXsUkMU/3vfe5XRdsLJLdssjbKnzI
+gU/J9h/480caGmdyUYOaCGMyb4fNbl09HaV8AianJqtFeUC9/uzpAX9PsqaanmB9
+71nIz0tKCjpa/7lOnqZwAsHzasl58L4W9xdaEZChbecSfxRspSCGY44BwFpTPS2J
+lFeVAoGAFOetqKStyEy+qruEOMk+lWwaKLGZ4hLk7qmFochxwrXgx7hcZ4Zrqkv9
+7qyQtbAalFiCHGmLBdSb+GLfD/1pPUA3wJoLo/I3f4g9c7cw7m7r8MdWPDXSL2Vk
+vM97Syv92KQUBl8te7S3+bDBNklgb+KwRqSk3QRAl8ARWEjg8Kk=
+-----END RSA PRIVATE KEY-----
diff --git a/resources/config/haproxy/haproxy-pluggable-security.cfg b/resources/config/haproxy/haproxy-pluggable-security.cfg
new file mode 100644
index 0000000..1c82050
--- /dev/null
+++ b/resources/config/haproxy/haproxy-pluggable-security.cfg
@@ -0,0 +1,138 @@
+# Copyright © 2018 Amdocs, Bell Canada, AT&T
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+global
+ log /dev/log local0
+ stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
+ stats timeout 30s
+ user root
+ group root
+ daemon
+ #################################
+ # Default SSL material locations#
+ #################################
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+ # Default ciphers to use on SSL-enabled listening sockets.
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ # An alternative list with additional directives can be obtained from
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+ tune.ssl.default-dh-param 2048
+
+defaults
+ log global
+ mode http
+ option httplog
+ option ssl-hello-chk
+ option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==
+ default-server init-addr none
+# option dontlognull
+# errorfile 400 /etc/haproxy/errors/400.http
+# errorfile 403 /etc/haproxy/errors/403.http
+# errorfile 408 /etc/haproxy/errors/408.http
+# errorfile 500 /etc/haproxy/errors/500.http
+# errorfile 502 /etc/haproxy/errors/502.http
+# errorfile 503 /etc/haproxy/errors/503.http
+# errorfile 504 /etc/haproxy/errors/504.http
+
+ option http-server-close
+ option forwardfor except 127.0.0.1
+ retries 6
+ option redispatch
+ maxconn 50000
+ timeout connect 50000
+ timeout client 480000
+ timeout server 480000
+ timeout http-keep-alive 30000
+
+
+frontend IST_8443
+ mode http
+ bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ option httplog
+ log global
+ option logasap
+ option forwardfor
+ capture request header Host len 100
+ capture response header Host len 100
+ option log-separate-errors
+ option forwardfor
+ http-request set-header X-Forwarded-Proto https if { ssl_fc }
+ http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
+ http-request set-header X-AAI-SSL %[ssl_fc]
+ http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
+ http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
+ http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
+ http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
+ http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
+ http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
+ http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
+ http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
+ http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
+ http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
+ http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
+ http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
+ reqadd X-Forwarded-Proto:\ https
+ reqadd X-Forwarded-Port:\ 8443
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+ acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_named-query path_beg -i /aai/search/named-query
+ acl is_search-model path_beg -i /aai/search/model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
+
+ default_backend IST_Default_8447
+
+
+#######################
+#DEFAULT BACKEND 847###
+#######################
+
+backend IST_Default_8447
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
+
+
+#######################
+# BACKEND 8446#########
+#######################
+
+backend IST_AAI_8446
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
+
+listen IST_AAI_STATS
+ mode http
+ bind *:8080
+ stats uri /stats
+ stats enable
+ stats refresh 30s
+ stats hide-version
+ stats auth admin:admin
+ stats show-legends
+ stats show-desc IST AAI APPLICATION NODES
+ stats admin if TRUE
diff --git a/resources/config/haproxy/haproxy.cfg b/resources/config/haproxy/haproxy.cfg
new file mode 100644
index 0000000..8beae0e
--- /dev/null
+++ b/resources/config/haproxy/haproxy.cfg
@@ -0,0 +1,138 @@
+# Copyright © 2018 Amdocs, Bell Canada, AT&T
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+global
+ log /dev/log local0
+ stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
+ stats timeout 30s
+ user root
+ group root
+ daemon
+ #################################
+ # Default SSL material locations#
+ #################################
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+ # Default ciphers to use on SSL-enabled listening sockets.
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ # An alternative list with additional directives can be obtained from
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+ tune.ssl.default-dh-param 2048
+
+defaults
+ log global
+ mode http
+ option httplog
+ option ssl-hello-chk
+ option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ==
+ default-server init-addr none
+# option dontlognull
+# errorfile 400 /etc/haproxy/errors/400.http
+# errorfile 403 /etc/haproxy/errors/403.http
+# errorfile 408 /etc/haproxy/errors/408.http
+# errorfile 500 /etc/haproxy/errors/500.http
+# errorfile 502 /etc/haproxy/errors/502.http
+# errorfile 503 /etc/haproxy/errors/503.http
+# errorfile 504 /etc/haproxy/errors/504.http
+
+ option http-server-close
+ option forwardfor except 127.0.0.1
+ retries 6
+ option redispatch
+ maxconn 50000
+ timeout connect 50000
+ timeout client 480000
+ timeout server 480000
+ timeout http-keep-alive 30000
+
+
+frontend IST_8443
+ mode http
+ bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ option httplog
+ log global
+ option logasap
+ option forwardfor
+ capture request header Host len 100
+ capture response header Host len 100
+ option log-separate-errors
+ option forwardfor
+ http-request set-header X-Forwarded-Proto https if { ssl_fc }
+ http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
+ http-request set-header X-AAI-SSL %[ssl_fc]
+ http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
+ http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
+ http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
+ http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
+ http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
+ http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
+ http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
+ http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
+ http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
+ http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
+ http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
+ http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
+ reqadd X-Forwarded-Proto:\ https
+ reqadd X-Forwarded-Port:\ 8443
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+ acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_named-query path_beg -i /aai/search/named-query
+ acl is_search-model path_beg -i /aai/search/model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
+
+ default_backend IST_Default_8447
+
+
+#######################
+#DEFAULT BACKEND 847###
+#######################
+
+backend IST_Default_8447
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
+
+
+#######################
+# BACKEND 8446#########
+#######################
+
+backend IST_AAI_8446
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
+
+listen IST_AAI_STATS
+ mode http
+ bind *:8080
+ stats uri /stats
+ stats enable
+ stats refresh 30s
+ stats hide-version
+ stats auth admin:admin
+ stats show-legends
+ stats show-desc IST AAI APPLICATION NODES
+ stats admin if TRUE