Josh Knapp
615044fa14
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 53s
The resolvers section was inserted inside the global section, causing HAProxy to parse global directives (pidfile, maxconn, etc.) as resolver keywords. Moved resolvers to its own top-level section between global and defaults where HAProxy expects it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
76 lines
2.5 KiB
Smarty
76 lines
2.5 KiB
Smarty
#---------------------------------------------------------------------
|
|
# Global settings
|
|
#---------------------------------------------------------------------
|
|
global
|
|
# to have these messages end up in /var/log/haproxy.log you will
|
|
# need to:
|
|
#
|
|
# 1) configure syslog to accept network log events. This is done
|
|
# by adding the '-r' option to the SYSLOGD_OPTIONS in
|
|
# /etc/sysconfig/syslog
|
|
#
|
|
# 2) configure local2 events to go to the /var/log/haproxy.log
|
|
# file. A line like the following can be added to
|
|
# /etc/sysconfig/syslog
|
|
#
|
|
# local2.* /var/log/haproxy.log
|
|
#
|
|
log 127.0.0.1 local2
|
|
|
|
chroot /var/lib/haproxy
|
|
pidfile /var/run/haproxy.pid
|
|
maxconn 4000
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
# SSL and Performance
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
# HTTP/2 protection against Rapid Reset (CVE-2023-44487) and stream abuse
|
|
tune.h2.fe.max-total-streams 2000
|
|
tune.h2.fe.glitches-threshold 50
|
|
|
|
# Stats persistence for zero-downtime reloads
|
|
stats-file /var/lib/haproxy/stats.dat
|
|
|
|
#---------------------------------------------------------------------
|
|
# DNS resolver for Docker container name resolution
|
|
# Re-resolves backend server addresses so container IP changes
|
|
# (from restarts, recreations, scaling) are picked up automatically
|
|
#---------------------------------------------------------------------
|
|
resolvers docker_dns
|
|
nameserver dns1 127.0.0.11:53
|
|
resolve_retries 3
|
|
timeout resolve 1s
|
|
timeout retry 1s
|
|
hold valid 10s
|
|
hold other 10s
|
|
hold refused 10s
|
|
hold nx 10s
|
|
hold timeout 10s
|
|
hold obsolete 10s
|
|
|
|
#---------------------------------------------------------------------
|
|
# common defaults that all the 'listen' and 'backend' sections will
|
|
# use if not designated in their block
|
|
#---------------------------------------------------------------------
|
|
defaults
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
option http-server-close
|
|
option forwardfor #except 127.0.0.0/8
|
|
option redispatch
|
|
retries 3
|
|
timeout http-request 30s
|
|
timeout queue 2m
|
|
timeout connect 10s
|
|
timeout client 5m
|
|
timeout server 10m
|
|
timeout http-keep-alive 30s
|
|
timeout check 10s
|
|
timeout tarpit 10s # Tarpit delay for low-level scanners (before silent-drop)
|
|
maxconn 3000
|
|
|