#--------------------------------------------------------------------- # Configuration file for the jtel acd dispatcher proxy # See the full configuration options online. # # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html # #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Peers for restarts #--------------------------------------------------------------------- peers replicates peer localproxy 127.0.0.1:1024 #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats stats timeout 30s # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM tune.ssl.default-dh-param 2048 #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 10m timeout server 10m timeout http-keep-alive 10s timeout check 10s maxconn 3000 # default error pages errorfile 400 /usr/share/haproxy/400.http errorfile 408 /usr/share/haproxy/408.http errorfile 504 /usr/share/haproxy/504.http errorfile 503 /usr/share/haproxy/503.http errorfile 502 /usr/share/haproxy/502.http errorfile 403 /usr/share/haproxy/403.http errorfile 500 /usr/share/haproxy/500.http #--------------------------------------------------------------------- # For redundant LB when mysql sessions are distributed by the LB #--------------------------------------------------------------------- # For the masters, the second server is a backup and a failover will only fail back after 99999999 checks (several years) listen mysql-cluster-masters bind *:3306 mode tcp option mysql-check balance roundrobin server acd-dbm1 acd-dbm1:3306 check inter 5s fall 6 rise 99999999 maxconn 1200 server acd-dbm2 acd-dbm2:3306 check backup maxconn 1200 # For the slaves, prefer a particular server first. Both slaves are active listen mysql-cluster-slaves bind *:3307 mode tcp option mysql-check balance first server acd-dbs1 acd-dbs1:3306 check maxconn 1200 server acd-dbs2 acd-dbs2:3306 check maxconn 1200 listen mysql-cluster-reporting-slaves bind *:3308 mode tcp option mysql-check balance first server acd-dbs2 acd-dbs2:3306 check maxconn 1200 server acd-dbs1 acd-dbs1:3306 check maxconn 1200 #--------------------------------------------------------------------- # statistics admin level depends on the authenticated user # you can create your passwords with the following oneliner: # # python -c 'import crypt; print crypt.crypt("secretpassword", "$5$a_random_salt")' # # 5 is the type of the hash: 5 = SHA-256 # # 1 -> MD5 # 2a -> Blowfish (not in mainline glibc; added in some Linux distributions) # 5 -> SHA-256 (since glibc 2.7) # 6 -> SHA-512 (since glibc 2.7) # # Sample: # python -c 'import crypt; print crypt.crypt("fireball", "$5$jhaProxy")' #--------------------------------------------------------------------- userlist stats-auth user admin password $5$jhaProxy$rd33gRtd4Wt5UyIclODlyjinSeH4N2DjLtKk33PNZH. user jtel password $5$jhaProxy$rd33gRtd4Wt5UyIclODlyjinSeH4N2DjLtKk33PNZH. user user password $5$jhaProxy$.saE3wsZ9AzbDMk2jW9WWQqm.4.vgyZCjFdCf5dAKD6 group admin users admin,jtel group readonly users user #--------------------------------------------------------------------- # this is a dedicated internal HTTP frontend for administration #--------------------------------------------------------------------- frontend haproxy mode http bind *:7777 acl root_req path / redirect location /haproxy if root_req default_backend stat_admin #--------------------------------------------------------------------- # this is the internal HTTP dispatcher frontend for the acd portal # with forced redirection to HTTPS #--------------------------------------------------------------------- frontend acdportal_http mode http bind :80 redirect scheme https if !{ ssl_fc } #--------------------------------------------------------------------- # this is the internal HTTPS dispatcher frontend for the acd portal #--------------------------------------------------------------------- frontend acdportal_https mode http bind :443 ssl crt /etc/haproxy/haproxy.pem #verify optional acl rest_req url_reg ^\/rest\/v1.0 acl soap_req url_reg ^\/CarrierPortal/AcdAgentClientService.* acl stat_req url_reg ^\/haproxy acl root_req path / acl admn_req path /admin acl mini_req path /mini timeout client 1d # This option is used, if this load balancer serves the clients. option forwardfor header X-JTEL # This next option is used, if another haproxy is in front of this one and provides the x-forwarded-for header. # http-request set-header X-JTEL %[hdr(x-forwarded-for)] reqadd X-Forwarded-Proto:\ https redirect location /CarrierPortal/sysadmin/login if admn_req redirect location /CarrierPortal/login/RESELLER/CLIENT if root_req redirect location /CarrierPortal/mclogin/RESELLER/CLIENT if mini_req use_backend stat_admin if stat_req use_backend jtel_soap if soap_req default_backend jtel_portal #--------------------------------------------------------------------- # this backend provides the haproxy administration interface #--------------------------------------------------------------------- backend stat_admin mode http acl HAUTH http_auth(stats-auth) acl HAUTH_ADMIN http_auth_group(stats-auth) admin stats enable stats uri /haproxy stats http-request auth unless HAUTH stats admin if HAUTH_ADMIN stats hide-version stats refresh 60 #--------------------------------------------------------------------- # this backend provides the standard acd portal access #--------------------------------------------------------------------- backend jtel_portal mode http compression algo gzip compression type text/xml text/html text/plain text/css text/javascript stick-table type string size 1m expire 8h peers replicates stick store-response res.cook(JSESSIONID) stick on req.cook(JSESSIONID) balance leastconn # roundrobin server acd-jb1 acd-jb1:8080 weight 1 check inter 1m server acd-jb2 acd-jb2:8080 weight 1 check inter 1m server acd-jb3 acd-jb3:8080 weight 1 check inter 1m server acd-jb4 acd-jb4:8080 weight 1 check inter 1m acl https ssl_fc acl secured_cookie res.cook(JSESSIONID),lower -m sub secure http-response replace-header Set-Cookie (.*) \1;\ SameSite=None;\ Secure if https !secured_cookie #--------------------------------------------------------------------- # this backend provides the SOAP interface access #--------------------------------------------------------------------- backend jtel_soap mode http compression algo gzip compression type text/xml text/html text/plain text/css text/javascript balance leastconn # roundrobin stick-table type ip size 20k stick on src server acd-jb1 acd-jb1:8080 weight 1 check inter 1m server acd-jb2 acd-jb2:8080 weight 1 check inter 1m server acd-jb3 acd-jb3:8080 weight 1 check inter 1m server acd-jb4 acd-jb4:8080 weight 1 check inter 1m #--------------------------------------------------------------------- # this backend provides access to the REST API #--------------------------------------------------------------------- backend jtel_rest mode http compression algo gzip compression type text/xml text/html text/plain text/css text/javascript balance leastconn # roundrobin stick-table type ip size 20k stick on src server acd-tel1 acd-tel1:8091 weight 1 check inter 1m