summaryrefslogtreecommitdiffstats
path: root/haproxy/haproxy.cfg
blob: 058e6b5612fe179973e9fd6db54e171ed01f918e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
global
        log /dev/log    local0
        stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
        stats timeout 30s
        user root
        group root
        daemon
        #################################
        # Default SSL material locations#
        #################################
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        tune.ssl.default-dh-param 2048
        ssl-default-bind-options force-tlsv12 no-tls-tickets
        ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        tune.ssl.maxrecord 1400

defaults
        log     global
        mode    http
        option  httplog
#       option  dontlognull
#       errorfile 400 /etc/haproxy/errors/400.http
#       errorfile 403 /etc/haproxy/errors/403.http
#       errorfile 408 /etc/haproxy/errors/408.http
#       errorfile 500 /etc/haproxy/errors/500.http
#       errorfile 502 /etc/haproxy/errors/502.http
#       errorfile 503 /etc/haproxy/errors/503.http
#       errorfile 504 /etc/haproxy/errors/504.http

        option  http-server-close
        option forwardfor except 127.0.0.1
        retries 6
        option redispatch
        maxconn 50000
        timeout connect 50000
        timeout client  480000
        timeout server  480000
        timeout http-keep-alive 30000


frontend IST_8443
        mode http
        bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
#       log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
        log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
        option httplog
        log global
        option logasap
        option forwardfor
        capture request header  Host len 100
        capture response header Host len 100
        option log-separate-errors
        option forwardfor
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
        http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
        http-request set-header X-AAI-SSL                       %[ssl_fc]
        http-request set-header X-AAI-SSL-Client-Verify         %[ssl_c_verify]
        http-request set-header X-AAI-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
        http-request set-header X-AAI-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
        http-request set-header X-AAI-SSL-Issuer                %{+Q}[ssl_c_i_dn]
        http-request set-header X-AAI-SSL-Client-NotBefore      %{+Q}[ssl_c_notbefore]
        http-request set-header X-AAI-SSL-Client-NotAfter       %{+Q}[ssl_c_notafter]
        http-request set-header X-AAI-SSL-ClientCert-Base64   %{+Q}[ssl_c_der,base64]
        http-request set-header X-AAI-SSL-Client-OU             %{+Q}[ssl_c_s_dn(OU)]
        http-request set-header X-AAI-SSL-Client-L              %{+Q}[ssl_c_s_dn(L)]
        http-request set-header X-AAI-SSL-Client-ST             %{+Q}[ssl_c_s_dn(ST)]
        http-request set-header X-AAI-SSL-Client-C              %{+Q}[ssl_c_s_dn(C)]
        http-request set-header X-AAI-SSL-Client-O              %{+Q}[ssl_c_s_dn(O)]
        reqadd X-Forwarded-Proto:\ https
        reqadd X-Forwarded-Port:\ 8443

#######################
#ACLS FOR PORT 8446####
#######################

        acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
        acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
        acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$

        acl is_named-query path_beg -i /aai/search/named-query
        acl is_search-model path_beg -i /aai/search/model

        acl is_dbquery path_reg -i ^/aai/v[0-9]+/dbquery$

        use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model

        use_backend IST_AAI_8449 if is_dbquery

        default_backend IST_Default_8447


#######################
#DEFAULT BACKEND 847###
#######################

backend IST_Default_8447
        balance roundrobin
        http-request set-header X-Forwarded-Port %[src_port]
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
        server aai-resources.api.simpledemo.onap.org  aai-resources.api.simpledemo.onap.org:8447  port 8447 ssl verify none

#######################
# BACKEND 8446#########
#######################

backend IST_AAI_8446
        balance roundrobin
        http-request set-header X-Forwarded-Port %[src_port]
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
        server aai-traversal.api.simpledemo.onap.org aai-traversal.api.simpledemo.onap.org:8446  port 8446 ssl verify none

backend IST_AAI_8449
        balance roundrobin
        http-request set-header X-Forwarded-Port %[src_port]
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
        server aai-graphadmin.api.simpledemo.onap.org aai-graphadmin.api.simpledemo.onap.org:8449  port 8449 ssl verify none

listen IST_AAI_STATS
        mode http
        bind *:8080
        stats uri /stats
        stats enable
        stats refresh 30s
        stats hide-version
        stats auth admin:admin
        stats show-legends
        stats show-desc IST AAI APPLICATION NODES
        stats admin if TRUE