Skip to content

haproxy job from haproxy/8.1.2

The HAProxy server can be used to terminate SSL in front of the Routers. Each HAProxy instance should point to multiple Routers.

Github source: 62700747 or master branch

Properties

ha_proxy

accept_proxy

Allow accept proxy

Default
false

backend_ca_file

Optional SSL CA certificate chain (PEM file) concatenated together for backend SSL servers, only used when one of the backend_ssl options is set to verify

backend_port

Listening port for Router

Default
80

backend_servers

Array of the router IPs acting as the HTTP/TCP backends (should include servers all Availability Zones being used)

Default
[]

backend_ssl

Optionally enable SSL verification for backend servers, one of verify, noverify, any other value assumes no ssl backend. Setting verify requires ha_proxy.backend_ca_file key to be set.

Default
"off"

backend_ssl_verifyhost

Optional hostname to verify in the x509 certificate subject for SSL-enabled backend servers. Requires ha_proxy.backend_ssl is set to verify when using this.

client_timeout

Timeout waiting for data from a client (in seconds)

Default
30

compress_types

If this property is set, gzip compression will be activated for the mime types named in this property. definition like ‘text/html text/plain text/css’

Default
""

connect_timeout

Timeout waiting for connections to establish to a server (in seconds)

Default
5

default_dh_param

Maximum size of DH params when generating epmehmeral keys during key exchange

Default
2048

disable_http

Disable port 80 traffic

Default
false

disable_tls_10

Disable TLS 1.0 in HA Proxy

Default
false

disable_tls_11

Disable TLS 1.1 in HA Proxy

Default
false

disable_tls_tickets

Improve (Perfect) Forward Secrecy by disabling TLS tickets

Default
true

dns_hold

DNS Hold time

Default
10s

enable_4443

Enables port 4443 for backwards compatibility with WSS-based apps using the old CF haproxy

Default
false

headers

Hash of custom headers you wish you have set on each request. Spaces are automatically escaped, but any other haproxy delimiters will need to be escaped manually

Example
|+
  headers:
    X-Application-ID: my-custom-header
    MyCustomHeader: 3

hsts_enable

Enables HSTS(Strict-Transport-Security Header) for all the SSL/TLS listeners

Default
false

hsts_include_subdomains

This enables the includeSubDomains flag for HSTS.

Default
false

hsts_max_age

max-age value for the Strict-Transport-Security header

Default
3.1536e+07

hsts_preload

This enables the preload flag for HSTS

Default
false

https_redirect_all

If this is set to ‘true’, a https redirect rule for all http calls will be put in the config file

Default
false

https_redirect_domains

For each domain in this array, a HTTPS redirect rule will be put in the config file. Redirect will be applied for all subdomains

Default
[]

internal_only_domains

Array of domains for internal-only apps/services (not hostnames for the apps/services)

Default
[]

keepalive_timeout

Timeout waiting for new HTTP requests under http keep-alive mode (in seconds)

Default
1

log_level

Log level

Default
info

queue_timeout

Timeout for requests queued waiting for free connection slots (in seconds)

Default
30

request_timeout

Maximum HTTP request length (in seconds)

Default
30

resolvers

List of DNS servers

Example
resolvers:
  private: 10.0.0.2
  public: 8.8.8.8

routed_backend_servers

Hash of the URL prefixes -> array of the router IPs acting as the HTTP/TCP backends (should include servers all Availability Zones being used)

Default
{}
Example
routed_backend_servers:
  /images:
    backend_ssl: verify
    backend_verifyhost: example.com
    port: 4443
    servers:
    - 10.0.0.2
    - 10.0.0.3

rsp_headers

Hash of custom headers you wish you have set on each request. Spaces are automatically escaped, but any other haproxy delimiters will need to be escaped manually

Example
|+
  rsp_headers:
    X-Application-ID: my-custom-header
    MyCustomHeader: 3

server_timeout

Timeout waiting for data from a server (in seconds)

Default
30

ssl_ciphers

List of SSL Ciphers that are passed to HAProxy

Default
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

ssl_pem

SSL certificate (PEM file), or an array of SSL certificates (PEM files)

stats_bind

Define one or several listening addresses and/or ports in a frontend.

Default
'*:9000'

stats_enable

If true, haproxy will enable a socket for stats. You can see the stats on haproxy_ip:9000/haproxy_stats

Default
false

stats_password

Password to authenticate haproxy stats

stats_uri

URI used to access the stats UI.

Default
haproxy_stats

stats_user

User name to authenticate haproxy stats

syslog_server

An IPv4 address optionally followed by a colon and a UDP port. It can also be an IPv6 address or filesystem path to a UNIX domain socket.

Default
127.0.0.1

tcp

List of mappings to perform tcp-based proxying on. See example for mapping datastructure and keys

Default
[]
Example
tcp:
- backend_port: 80
  backend_servers:
  - 10.20.10.10
  - 10.20.10.11
  backend_ssl: verify
  backend_verifyhost: example.com
  name: wss
  port: 4443
  ssl: true

Port haproxy should listen on when using the tcp_backend link

trusted_domain_cidrs

Space separated trusted cidr blocks for internal_only_domains

Default
0.0.0.0/32

trusted_stats_cidrs

Trusted ip range that can access the stats UI

Default
0.0.0.0/32

websocket_timeout

Timeout for websocket/tunnel traffic (in seconds)

Default
3600

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/haproxy/ directory (learn more).

  • bin/haproxy_ctl (from haproxy_ctl)
  • bin/monit_debugger (from monit_debugger)
  • config/backend-ca-certs.pem (from backend-ca-certs.erb)
  • config/certs.ttar (from certs.ttar.erb)
  • config/haproxy.config (from haproxy.config.erb)
  • config/ssl_redirect.map (from ssl_redirect.map.erb)
  • data/properties.sh (from properties.sh.erb)
  • helpers/ctl_setup.sh (from helpers/ctl_setup.sh)
  • helpers/ctl_utils.sh (from helpers/ctl_utils.sh)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.