load-balancer/haproxy.cfg at master · FreeRoamApp/load-balancer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
global
  log 127.0.0.1 local0
  log 127.0.0.1 local0 notice
  maxconn 131070
  ulimit-n 262500

defaults
  mode http
  log global

  timeout client           1m
  timeout connect          5s
  timeout server           1m
  timeout tunnel           1h
  timeout http-keep-alive  1s
  timeout http-request    15s
  timeout queue           30s
  timeout tarpit          60s

  default-server fastinter 1s downinter 1s

  option http-server-close
  option redispatch
  option httplog
  option dontlognull

  # Kubernetes handles this for client requests
  # option forwardfor


################################################################################
# This is for basic-auth
#    It will eventually point to a central auth server
#
userlist admins
  user admin insecure-password ${ADMIN_PASSWORD}

#################################################################################
# Stats service
#
listen stats
  bind 127.0.0.1:1936
  stats enable
  stats uri /
  stats realm Haproxy\ Statistics

#################################################################################
# All port 80 traffic goes trough here
#
#
frontend main_http
  bind 0.0.0.0:80
  maxconn 262500

  #################################
  # Service Worker no cache
  #
  http-response set-header Cache-Control no-cache,\ max-age=0 if { capture.req.uri -m beg /service_worker.js }

  ##################################
  # Rate Limiting
  #
  #

  # 15 req every 15min
  # acl path_api_login_recovery path_beg /login/recovery
  #
  # stick-table type ip size 1m expire 15m store http_req_rate(15m)
  #
  # tcp-request content track-sc0 src if path_api_login_recovery
  # acl is_abuser src_http_req_rate gt 15
  #
  # http-request deny if path_api_login_recovery is_abuser

  ##################################
  #        ================        #
  #        Internal Domains        #
  #        ================        #
  ##################################

  acl host_load_balancer hdr(host) -i load-balancer.kiln.wtf
  acl host_load_balancer_staging hdr(host) -i load-balancer-staging.kiln.wtf
  use_backend local_stats if host_load_balancer or host_load_balancer_staging

  # acl host_kue hdr(host) -i kue.kiln.wtf
  # acl host_kue_staging hdr(host) -i kue-staging.kiln.wtf
  # use_backend kue if host_kue
  # use_backend kue_staging if host_kue_staging

  ##################################
  #       =================        #
  #        Public  Domains         #
  #       =================        #
  ##################################

  acl host_free_roam hdr(host) -i freeroam.app
  acl host_free_roam_www hdr(host) -i www.freeroam.app
  acl host_free_roam_staging hdr(host) -i staging.freeroam.app

  acl host_free_roam_tile_server hdr(host) -i tileserver.freeroam.app

  acl host_free_roam_local_maps_tile_server hdr(host) -i localmaps.freeroam.app

  acl host_proudly_gives hdr(host) -i proudly.gives

  acl host_parade hdr(host) -i proudlygives.com

  acl host_substance hdr(host) -i substance.fdn.uno

  use_backend free_roam if host_free_roam or host_free_roam_www
  use_backend free_roam_staging if host_free_roam_staging

  use_backend free_roam_tile_server if host_free_roam_tile_server

  use_backend free_roam_local_maps_tile_server if host_free_roam_local_maps_tile_server

  use_backend proudly_gives if host_proudly_gives

  use_backend parade if host_parade

  use_backend substance if host_substance

  acl host_fundraise hdr(host) -i fundraise.techby.org
  use_backend fundraise if host_fundraise

  acl host_impact hdr(host) -i impact.techby.org
  use_backend impact if host_impact

  acl host_techby hdr(host) -i api.techby.org
  acl path_990_api path_beg /990/v1
  use_backend irs_990_api if host_techby path_990_api

  acl path_impact_api path_beg /impact/v1
  use_backend impact_api if host_techby path_impact_api

  acl host_techby hdr(host) -i techby.org
  use_backend techby if host_techby

  default_backend free_roam

  backend fundraise
    option httpchk /ping
    server app fundraise.production:8080 check

  backend impact
    option httpchk /ping
    server app impact.production:8080 check

  backend techby
    option httpchk /ping
    server app tech-by.production:8080 check

  backend irs_990_api
    option httpchk /ping
    # replace /api/990/v1
    reqrep ^([^\ ]*\ /)990/v1[/]?(.*)     \1\2
    server app irs-990-api.production:80 check

  backend impact_api
    option httpchk /ping
    # replace /api/990/v1
    reqrep ^([^\ ]*\ /)impact/v1[/]?(.*)     \1\2
    server app impact-api.production:80 check

#################################################################################
# Internal
#
#

backend local_stats
  acl auth_ok http_auth(admins)
  http-request auth unless auth_ok
  server serv1 127.0.0.1:1936

# backend kue
#   acl auth_ok http_auth(admins)
#   http-request auth unless auth_ok
#   server app kue.production:8080 check

# backend kue_staging
#   acl auth_ok http_auth(admins)
#   http-request auth unless auth_ok
#   server app kue.staging:8080 check

#################################################################################
# Public
#
#

backend free_roam
  option httpchk /ping
  server app free-roam.production:8080 check

backend free_roam_staging
  option httpchk /ping
  server app free-roam.staging:8080 check

backend free_roam_tile_server
  option httpchk /ping
  server app tile-server.production:8080 check

backend free_roam_local_maps_tile_server
  option httpchk /ping
  server app local-maps-tile-server.production:8080 check

backend proudly_gives
  option httpchk /ping
  server app proudly-gives.production:8080 check

backend parade
  option httpchk /ping
  server app parade.production:8080 check

backend substance
  option httpchk /ping
  server app substance.production:8080 check