Skip to content

Instantly share code, notes, and snippets.

@GABeech
Created August 21, 2014 18:35
Show Gist options
  • Save GABeech/eb88933bf49cd82ceab0 to your computer and use it in GitHub Desktop.
Save GABeech/eb88933bf49cd82ceab0 to your computer and use it in GitHub Desktop.
Stack Exchange HAProxy
# This is an example of the Stack Exchange Tier 1 HAProxy config
# The only things that have been changed from what we are running are:
# 1. User names have been removed
# 2. All Passwords have been remove
# 3. IPs have been changed to use the example/documentation ranges
# 4. Rate limit numbers have been changed to randome numbers, don't read into them
userlist stats-auth
group admin users $admin_user
user $admin_user insecure-password $some_password
group readonly users $some_user
user $some_user insecure-password $some_other_password
global
daemon
stats socket /var/run/haproxy-t1.stat level admin
maxconn 100000
pidfile /var/run/haproxy-t1.pid
log 127.0.0.1 local0
log 192.0.2.17 local0
tune.bufsize 16384
tune.maxrewrite 1024
spread-checks 4
log-send-hostname ny-lb05
defaults
errorfile 503 /etc/haproxy-shared/errors/503.http
errorfile 502 /etc/haproxy-shared/errors/502.http
mode http
timeout connect 15s
timeout client 60s
timeout server 150s
timeout queue 60s
timeout http-request 15s
timeout http-keep-alive 15s
option httplog
option redispatch
option dontlognull
balance source
backend be_api_1.1
mode http
balance roundrobin
reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2
reqirep ^([^\ ]*)\ /1.1/(.*) \1\ /\2
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_api
mode http
balance roundrobin
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackexchange.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_area51_stackexchange_com
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:area51.stackexchange.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_careers
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:careers.stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_internal_api
mode http
balance roundrobin
option http-server-close
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_meta_so
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:meta.stackoverflow.com
server ny-web10 203.0.113.110:80 check
server ny-web11 203.0.113.111:80 check
backend be_mobile
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:mobile.stackexchange.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_openid
mode http
balance roundrobin
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:openid.stackexchange.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_others
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:serverfault.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_so
mode http
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_so_crawler
mode http
balance roundrobin
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_sstatic
mode http
balance roundrobin
acl HTTP_OK status 200:399
rspidel ^Cache-Control:.* unless HTTP_OK
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:sstatic.net
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
backend be_stackauth
mode http
balance roundrobin
reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2
stick-table type ip size 999k expire 1m store conn_rate(30s)
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 10
acl mark_as_abuser sc1_inc_gpc0 gt 3
tcp-request content reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser
stats enable
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /ilovestats
stats refresh 30s
option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackauth.com
server ny-web01 203.0.113.101:80 check
server ny-web02 203.0.113.102:80 check
server ny-web03 203.0.113.103:80 check
server ny-web04 203.0.113.104:80 check
server ny-web05 203.0.113.105:80 check
server ny-web06 203.0.113.106:80 check
server ny-web07 203.0.113.107:80 check
server ny-web08 203.0.113.108:80 check
server ny-web09 203.0.113.109:80 check
frontend fe_stackauth
bind 198.51.100.21:80 name stackauth
bind 198.51.100.145:80 name stackauth
log global
stick-table type ip size 999k expire 1m store conn_rate(30s)
capture request header Referer len 64
capture request header User-Agent len 128
capture request header Host len 64
capture request header X-Forwarded-For len 64
capture request header Accept-Encoding len 64
capture response header Content-Encoding len 64
capture response header X-Page-View len 1
capture response header X-Route-Name len 64
capture response header X-Account-Id len 7
capture response header X-Sql-Count len 4
capture response header X-Sql-Duration-Ms len 7
capture response header X-AspNet-Duration-Ms len 7
capture response header X-Application-Id len 5
capture response header X-Request-Guid len 36
capture response header X-Redis-Count len 4
capture response header X-Redis-Duration-Ms len 7
capture response header X-Http-Count len 4
capture response header X-Http-Duration-Ms len 7
capture response header X-TE-Count len 4
capture response header X-TE-Duration-Ms len 7
rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms):
maxconn 40000
option http-server-close
option forwardfor
option httplog
acl source_is_serious_abuse src_conn_rate(fe_stackauth) gt 20
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
acl api_only_ips src -f /etc/haproxy-shared/api-only-ips
acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist
acl is_crawler src -f /etc/haproxy-shared/crawlers
acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua
acl source_is_abuser src_get_gpc0(fe_stackauth) gt 0
tcp-request connection track-sc1 src if !source_is_abuser
default_backend be_stackauth
frontend http-in
bind 198.51.100.16:80 name stackexchange
bind 198.51.100.17:80 name careers
bind 198.51.100.30:80 name careers.sstatic.net
bind 198.51.100.18:80 name openid
bind 198.51.100.24:80 name misc
bind 198.51.100.140:80 name stackexchange
bind 198.51.100.141:80 name careers
bind 198.51.100.154:80 name careers.sstatic.net
bind 198.51.100.142:80 name openid
bind 198.51.100.148:80 name misc
log global
stick-table type ip size 999k expire 1m store conn_rate(30s)
capture request header Referer len 64
capture request header User-Agent len 128
capture request header Host len 64
capture request header X-Forwarded-For len 64
capture request header Accept-Encoding len 64
capture response header Content-Encoding len 64
capture response header X-Page-View len 1
capture response header X-Route-Name len 64
capture response header X-Account-Id len 7
capture response header X-Sql-Count len 4
capture response header X-Sql-Duration-Ms len 7
capture response header X-AspNet-Duration-Ms len 7
capture response header X-Application-Id len 5
capture response header X-Request-Guid len 36
capture response header X-Redis-Count len 4
capture response header X-Redis-Duration-Ms len 7
capture response header X-Http-Count len 4
capture response header X-Http-Duration-Ms len 7
capture response header X-TE-Count len 4
capture response header X-TE-Duration-Ms len 7
rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms):
maxconn 40000
option http-server-close
option forwardfor
option httplog
acl source_is_serious_abuse src_conn_rate(http-in) gt 1000
acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
acl api_only_ips src -f /etc/haproxy-shared/api-only-ips
acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist
acl is_crawler src -f /etc/haproxy-shared/crawlers
acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua
acl source_is_abuser src_get_gpc0(http-in) gt 2
acl is_feeds path_beg /feeds/
acl is_internal_api path_beg /api/
acl is_careers hdr_beg(host) -i careers. jobs.
acl is_so hdr_end(host) -i stackoverflow.com
acl is_sstatic hdr_end(host) -i sstatic.net
acl is_stackauth hdr_end(host) -i stackauth.com
acl is_se hdr_end(host) -i stackexchange.com
acl is_area51 hdr(host) -i area51.stackexchange.com
acl is_mobile hdr(host) -i mobile.stackexchange.com
acl is_stackexchange_com hdr(host) -i stackexchange.com
acl is_meta_so hdr_end(host) -i meta.stackoverflow.com
acl is_dev_meta_webapps hdr_end(host) -i meta.dev.webapps.stackexchange.com
acl is_dev_fb hdr_end(host) -i fb.dev.stackoverflow.com
acl is_api_2 hdr(host) -i api.stackexchange.com
acl is_api hdr_sub(host) -i api
acl is_api_1.0 path_beg /1.0/
acl is_api_1.1 path_beg /1.1/
acl is_api_root path /
acl is_api_static path_beg -i /admin /content /crossdomain.xml /clientaccesspolicy.xml /robots.txt
acl is_dev hdr_beg(host) -i dev.
acl is_dev_discuss hdr_end(host) -i discuss.dev.area51.stackexchange.com
acl is_openid hdr_beg(host) -i openid.stackexchange.com
acl is_80 dst_port 80
acl is_ssl hdr_beg(X-SSL) -i yes
acl is_chat_yodeya hdr(host) -i chat.yodeya.com chat.miyodeya.com
acl is_bam_yodeya hdr(host) -i bam.yodeya.com bam.miyodeya.com
acl is_launchparty_yodeya hdr(host) -i launchparty.yodeya.com launchparty.miyodeya.com
acl is_me_yodeya hdr(host) -i me.yodeya.com me.miyodeya.com
acl is_kindle hdr_sub(user-agent) Silk-Accelerated
acl is_akamai hdr(host) -i sstatic-a.akamaihd.net
redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_chat_yodeya
redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_bam_yodeya
redirect prefix http://meta.judaism.stackexchange.com/questions/1134 code 301 if is_launchparty_yodeya
redirect prefix http://judaism.stackexchange.com code 301 if is_me_yodeya
redirect prefix https://openid.stackexchange.com code 301 if is_80 is_openid !is_ssl
tcp-request connection track-sc1 src if !source_is_abuser
use_backend be_internal_api if is_internal_api !is_careers
use_backend be_api_1.1 if is_api is_api_1.0
use_backend be_api_1.1 if is_api is_api_1.1
use_backend be_api if is_api_2
use_backend be_api_1.1 if is_api is_api_static
use_backend be_api_1.1 if is_api is_api_root
use_backend be_bad_api if is_api
use_backend be_sstatic if is_sstatic
use_backend be_sstatic if is_akamai
use_backend be_mobile if is_mobile
use_backend be_area51_stackexchange_com if is_area51
use_backend be_area51_stackexchange_com if is_stackexchange_com
use_backend be_meta_so if is_meta_so
use_backend be_careers if is_careers
use_backend be_so_crawler if is_so is_crawler
use_backend be_so_crawler if is_so is_crawler_ua
use_backend be_so if is_so
use_backend be_stackauth if is_stackauth
use_backend be_openid if is_openid
default_backend be_others
backend be_api_only
mode http
errorfile 503 /etc/haproxy-shared/errors/503apionly.http
backend be_bad_api
mode http
errorfile 403 /etc/haproxy-shared/errors/403.http
backend be_go-away
mode http
errorfile 503 /etc/haproxy-shared/errors/503rate.http
backend be_no_ssl
mode http
errorfile 503 /etc/haproxy-shared/errors/503nossl.http
listen t1_internal_stats
bind 203.0.113.15:7001
mode http
balance roundrobin
stats enable
stats uri /ilovestats
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
Copy link

ghost commented Dec 20, 2014

nice, thanks for the beautiful configuration :3

@zigmo
Copy link

zigmo commented Mar 27, 2015

thanks!

@wputra
Copy link

wputra commented May 23, 2015

awesome

@robbat2
Copy link

robbat2 commented Jun 26, 2015

backend be_go-away
backend be_no_ssl
Seem to be unused; did you previously do something interesting with be_no_ssl?

@akae
Copy link

akae commented Jul 14, 2015

I feel curious about the fact you are not using nbproc, which kind of CPU is running this haproxy?
Thanks for sharing this configuration, it's highly illustrative.

@mwpastore
Copy link

Are you no longer using the source port exhaustion workaround discussed here[1]?

  1. http://brokenhaze.com/blog/2014/03/25/how-stack-exchange-gets-the-most-out-of-haproxy/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment