haproxy.sh (3612B)
1 #!/usr/bin/env bash 2 3 set -o errexit 4 set -o nounset 5 set -o xtrace 6 7 # install haproxy 8 apt-get install -y haproxy socat rsyslog 9 10 CHROOT=/var/lib/haproxy 11 12 # haproxy log to syslog for haproxy < v1.9 13 # https://www.haproxy.com/blog/introduction-to-haproxy-logging 14 mkdir -p "$CHROOT/dev/" 15 touch "$CHROOT/dev/log" 16 mount --bind /dev/log "$CHROOT/dev/log" 17 echo "/dev/log /var/lib/haproxy/dev/log none bind" >> /etc/fstab 18 19 cat <<'EOF' > /etc/rsyslog.d/49-haproxy.conf 20 # Create an additional socket in haproxy's chroot in order to allow logging via 21 # /dev/log to chroot'ed HAProxy processes 22 $AddUnixListenSocket /var/lib/haproxy/dev/log 23 EOF 24 25 cat <<EOF > /etc/haproxy/haproxy.cfg 26 global 27 # # log to rsyslog udp 28 # log 127.0.0.1 local0 29 # # log to stdout/stderr (in effect, journald) for haproxy >= v1.9 30 # # https://www.haproxy.com/blog/introduction-to-haproxy-logging 31 # log stderr format short local0 debug 32 log /dev/log local0 33 maxconn 20000 34 user haproxy 35 chroot ${CHROOT} 36 pidfile /run/haproxy.pid 37 stats socket /run/haproxy/admin.sock mode 660 38 daemon # Makes the process fork into background. 39 # This option is ignored in systemd mode. 40 41 defaults 42 log global 43 maxconn 8000 44 # close backend server connections, 45 # but keep-alive client connections 46 option http-server-close 47 # don't try longer than 5s to connect to backend servers 48 timeout connect 5s 49 # wait 5s for the backend servers to respond, 50 # for instance, until they send headers 51 timeout server 5s 52 # wait 5s for the client to respond 53 timeout client 5s 54 # timeout to use with websockets 55 # overrides, server and client timeout 56 timeout tunnel 2h 57 # remove clients not acknowledging 58 # a server-initiated close after 30s 59 timeout client-fin 30s 60 61 frontend httpfront 62 bind :80 63 mode http 64 option httplog 65 # display host header in logs 66 capture request header Host len 30 67 68 # http acls 69 70 acl is_nextcloud hdr(Host) -i nextcloud.com 71 use_backend nextcloud_http if is_nextcloud 72 73 # redirect to https 74 # (disable https redirection to renew certificates) 75 # redirect scheme https if !{ ssl_fc } is_nextcloud 76 77 # SSL passthrough, 78 # SNI-based virtual hosting 79 frontend httpsfront 80 bind :443 81 mode tcp 82 option tcplog 83 # time to wait for client hello, 84 # maximum time for analysis by HAProxy in next line 85 tcp-request inspect-delay 5s 86 # analyze layer 7 protocol and accept if TLS 87 tcp-request content accept if { req.ssl_hello_type 1 } 88 # name-based virtual hosts 89 use_backend nextcloud if { req.ssl_sni -i nextcloud.com } 90 91 # default_backend noserv 92 93 backend nextcloud_http 94 mode http 95 server client nextcloud.lan:80 96 backend nextcloud 97 mode tcp 98 server client nextcloud.lan:443 99 EOF