# Copyright © 2018 Amdocs, Bell Canada, AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. global log /dev/log local0 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin stats timeout 30s user root group root daemon ################################# # Default SSL material locations# ################################# ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy tune.ssl.default-dh-param 2048 defaults log global mode http option httplog option ssl-hello-chk option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ== default-server init-addr none # option dontlognull # errorfile 400 /etc/haproxy/errors/400.http # errorfile 403 /etc/haproxy/errors/403.http # errorfile 408 /etc/haproxy/errors/408.http # errorfile 500 /etc/haproxy/errors/500.http # errorfile 502 /etc/haproxy/errors/502.http # errorfile 503 /etc/haproxy/errors/503.http # errorfile 504 /etc/haproxy/errors/504.http option http-server-close option forwardfor except 127.0.0.1 retries 6 option redispatch maxconn 50000 timeout connect 50000 timeout client 480000 timeout server 480000 timeout http-keep-alive 30000 frontend IST_8443 mode http bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem # log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" option httplog log global option logasap option forwardfor capture request header Host len 100 capture response header Host len 100 option log-separate-errors option forwardfor http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } http-request set-header X-AAI-SSL %[ssl_fc] http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 8443 ####################### #ACLS FOR PORT 8446#### ####################### acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$ acl is_named-query path_beg -i /aai/search/named-query acl is_search-model path_beg -i /aai/search/model use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl default_backend IST_Default_8447 ####################### #DEFAULT BACKEND 847### ####################### backend IST_Default_8447 balance roundrobin http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none ####################### # BACKEND 8446######### ####################### backend IST_AAI_8446 balance roundrobin http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none