# # Example pillar configuration # haproxy: # use lookup section to override 'map.jinja' values #lookup: #user: 'custom-user' #group: 'custom-group' # new setting to override configuration file path #config_file: /etc/haproxy/haproxy.cfg enabled: True overwrite: True # Overwrite an existing config file if present (default behaviour unless set to false) # old setting to override configuration file path, kept for compatibility #config_file_path: /etc/haproxy/haproxy.cfg global: log: - 127.0.0.1 local2 - 127.0.0.1 local1 notice stats: enable: True socketpath: /var/lib/haproxy/stats mode: 660 level: admin ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384" ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11" user: haproxy group: haproxy chroot: enable: True path: /var/lib/haproxy daemon: True userlists: userlist1: users: john: insecure-password doe sam: insecure-password frodo # groups: # admins: users john sam # guests: users jekyll hyde jane defaults: log: global mode: http retries: 3 options: - httplog - dontlognull - forwardfor - http-server-close logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r" timeouts: - http-request 10s - queue 1m - connect 10s - client 1m - server 1m - http-keep-alive 10s - check 10s stats: - enable - uri: '/admin?stats' - realm: 'Haproxy\ Statistics' - auth: 'admin1:AdMiN123' errorfiles: 400: /etc/haproxy/errors/400.http 403: /etc/haproxy/errors/403.http 408: /etc/haproxy/errors/408.http 500: /etc/haproxy/errors/500.http 502: /etc/haproxy/errors/502.http 503: /etc/haproxy/errors/503.http 504: /etc/haproxy/errors/504.http {# Suported by HAProxy 1.6 #} resolvers: local_dns: options: - nameserver resolvconf 127.0.0.1:53 - resolve_retries 3 - timeout retry 1s - hold valid 10s listens: stats: bind: - "0.0.0.0:8998" mode: http stats: enable: True uri: "/admin?stats" refresh: "20s" myservice: bind: - "*:8888" options: - forwardfor - http-server-close defaultserver: slowstart: 60s maxconn: 256 maxqueue: 128 weight: 100 servers: web1: host: web1.example.com port: 80 check: check web2: host: web2.example.com port: 18888 check: check web3: host: web3.example.com frontends: frontend1: name: www-http bind: "*:80" redirects: - scheme https if !{ ssl_fc } reqadds: - "X-Forwarded-Proto:\\ http" default_backend: www-backend www-https: bind: "*:443 ssl crt /etc/ssl/private/certificate-chain-and-key-combined.pem" logformat: "%ci:%cp\\ [%t]\\ %ft\\ %b/%s\\ %Tq/%Tw/%Tc/%Tr/%Tt\\ %ST\\ %B\\ %CC\\ %CS\\ %tsc\\ %ac/%fc/%bc/%sc/%rc\\ %sq/%bq\\ %hr\\ %hs\\ %{+Q}r\\ ssl_version:%sslv\\ ssl_cipher:%sslc" reqadds: - "X-Forwarded-Proto:\\ https" default_backend: www-backend acls: - url_static path_beg -i /static /images /javascript /stylesheets - url_static path_end -i .jpg .gif .png .css .js use_backends: - static-backend if url_static extra: "rspadd Strict-Transport-Security:\ max-age=15768000" some-services: bind: - "*:8080" - "*:8088" default_backend: api-backend backends: backend1: name: www-backend balance: roundrobin redirects: - scheme https if !{ ssl_fc } extra: "reqidel ^X-Forwarded-For:" servers: server1: name: server1-its-name host: 192.168.1.213 port: 80 check: check static-backend: balance: roundrobin redirects: - scheme https if !{ ssl_fc } options: - http-server-close - httpclose - forwardfor except 127.0.0.0/8 - httplog cookie: "pm insert indirect" stats: enable: True uri: /url/to/stats realm: LoadBalancer auth: "user:password" servers: some-server: host: 123.156.189.111 port: 8080 check: check another-server: host: 123.156.189.112 api-backend: options: - http-server-close - forwardfor servers: apiserver1: host: apiserver1.example.com port: 80 check: check server2: name: apiserver2 host: apiserver2.example.com port: 80 check: check extra: resolvers local_dns resolve-prefer ipv4 another_www: mode: tcp balance: source sticktable: "type binary len 32 size 30k expire 30m" acls: - clienthello req_ssl_hello_type 1 - serverhello rep_ssl_hello_type 2 tcprequests: - "inspect-delay 5s" - "content accept if clienthello" tcpresponses: - "content accept if serverhello" stickons: - "payload_lv(43,1) if clienthello" reqreps: - '^([^\ :]*)\ /static/(.*) \1\ \2' options: "ssl-hello-chk"