Skip to content

haproxy job from haproxy/11.16.0

The HAProxy server can be used to terminate SSL in front of the Routers. Each HAProxy instance should point to multiple Routers.

Github source: 1f755bf or master branch

Properties

ha_proxy

accept_proxy

Turned off by default. Enforces the use of the PROXY protocol for all incoming connections to all frontends. When enabled standard tcp connections to these port no longer work.

Default
false

additional_unrestricted_volumes

Map of Additional Unrestricted volumes to added so HA Proxy to give the ability to load external volumes under BPM. These will need to be provided in a Map based on bpm unrestricted volume spec

always_allow_body_http10

Always allow a body to be sent when using HTTP/1.0. By default HAProxy denies GET/HEAD/DELETE requests with a body when using HTTP/1.0 due to potential request smuggling attacks. See https://github.com/haproxy/haproxy/commit/e136bd12a32970bc90d862d5fe09ea1952b62974

Default
false

backend_ca_file

Optional SSL CA certificate chain (PEM file) concatenated together for backend SSL servers, only used when one of the backend_ssl options is set to verify

backend_config

A block of raw HAProxy config that will be added to the default HTTP + routed HTTP backend definitions

backend_crt

Provides client certificate to backend server to do mutual ssl. Note this only configures the client cert for HTTP backends configured via the backend_servers property or through BOSH links. It is not used with backend servers configured via routed_backend_servers or TCP backends

Example
|+
  -----BEGIN CERTIFICATE-----
  ******
  -----END CERTIFICATE-----
  -----BEGIN PRIVATE KEY-----
  ******
  -----END PRIVATE KEY-----

backend_health_fall

Number of consecutive unsuccessful health checks required before the server is considered unhealthy from a healthy state. The default value of 3 matches the default if the parameter is undefined. This parameter will be ignored if ha_proxy.backend_use_http_health is false.

Default
3

backend_health_rise

Number of consecutive successful health checks required before the server is considered healthy from an unhealthy state. The default value of 2 matches the default if the parameter is undefined. This parameter will be ignored if ha_proxy.backend_use_http_health is false.

Default
2

backend_http_health_port

Port to check the backend health on

Default
8080

backend_http_health_uri

URI to request when checking the health of a backend

Default
/health

backend_match_http_protocol

Uses the same version of HTTP for backend connections that was used for frontend connections (ie HTTP 1.1 or HTTP 2). Ignores the value of enable_http2. HTTP2 backend connections require that ha_proxy.backend_ssl is not off.

Default
false

backend_port

Listening port for Router

Default
80

backend_prefer_local_az

Prefer backend servers which are located on the same availability zone. Note that this only affects servers provided via the http_backend link property. Servers provided via the tcp backend_link will automatically prefer the local AZ.

Default
false

backend_servers

Array of the router IPs acting as the HTTP/TCP backends (should include servers all Availability Zones being used)

Default
[]

backend_ssl

Optionally enable SSL verification for backend servers, one of verify, noverify, any other value assumes no ssl backend. Setting verify requires ha_proxy.backend_ca_file key to be set. Note that off will disable all backend HTTP2 support regardless of other properties.

Default
"off"

backend_ssl_verifyhost

Optional hostname to verify in the x509 certificate subject for SSL-enabled backend servers. Requires ha_proxy.backend_ssl is set to verify when using this.

backend_use_http_health

Enables HTTP based health checks for the default backend

Default
false

binding_ip

If there are multiple ethernet interfaces, specify which one to bind. Set to :: to bind to all IPv6 interfaces (no IPv4). IPv6 must be enabled on the HAProxy VM in the deployment manifest.

Default
""

block_all

Optionally block all incoming traffic to http(s). Use in conjunction with whitelist.

Default
false

buffer_size_bytes

Buffer size to use for requests, any requests larger than this (large cookies or query strings) will result in a gateway error

Default
16384

cidr_blacklist

List of CIDRs to block for http(s). Format is string array of CIDRs or single string of base64 encoded gzip.

Example
cidr_blacklist:
- 10.0.0.0/8
- 192.168.2.0/24

cidr_whitelist

List of CIDRs to allow for http(s). Format is string array of CIDRs or single string of base64 encoded gzip. Note that unless ha_proxy.block_all is true, non-whitelisted traffic will still be allowed, provided that traffic is not also blacklisted

Example
cidr_whitelist:
- 172.168.4.1/32
- 10.2.0.0/16

cidrs_in_file

List of cidrs that will be placed in /var/vcap/jobs/haproxy/config/cidrs/. Useful for acl’s that reference a long list of cidrs (invoke the file with -f /var/vcap/jobs/haproxy/config/cidrs/).

Example
cidrs_in_file:
- cidrs:
  - 5.22.1.3
  - 5.22.12.3
  name: sample_cidrs

client_ca_file

path for CA certs to validate client certificate

Example
|+
  -----BEGIN CERTIFICATE-----
  ******
  -----END CERTIFICATE-----
  -----BEGIN PRIVATE KEY-----
  ******
  -----END PRIVATE KEY-----

client_cert

Enable haproxy mutual auth

Default
false

client_cert_ignore_err

Error code(s) to ignore from verifying a client cert during a mutual ssl handshake, in a pipe-separated list. For example, 2 is if it cannot get the issuer certificate, 10 if the certificate has expired and 18 if the certificate is self-signed. The keyword ‘all’ will ignore all possible errors. Note that the errors will be ignored on both the certificate and the CA verification. See the openssl verify documentation [https://www.openssl.org/docs/manmaster/man3/X509_STORE_CTX_get_error.html] for a full list of all error codes and their meanings. See https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in#L206 for a mapping of error codes to symbols.

Example
2|10|18

client_revocation_list

provide a list of revocation certs

client_timeout

Timeout (in floating point seconds) used on connections from a client to haproxy that have gone inactive

Default
30

compress_types

If this property is set, gzip compression will be activated for the mime types named in this property. definition like ‘text/html text/plain text/css’

Default
""

connect_timeout

Timeout (in floating point seconds) used on connections from haproxy to a backend, while waiting for the TCP handshake to complete + connection to establish

Default
5

connections_rate_limit

block

Whether or not to block connections. See docs/rate_limiting.md

Default
false
connections

How many connections are allowed in the given time window from one IP address. See docs/rate_limiting.md

table_size

Size of the stick table in which the IPs and counters are stored. See docs/rate_limiting.md

window_size

Window size for counting connections. See docs/rate_limiting.md

crt_list

Array of private keys and certificates used for TLS handshakes with downstream clients. Each element in the array is an object containing at least the field ‘ssl_pem’. The field ‘ssl_pem’ itself is either an object containing fields ‘cert_chain’ and ‘private_key’, or a single string containing the cert chain and the private key. The following fields are optional: - ‘alpn’ (a optional array of strings). If both HTTP/2 and HTTP/1.1 are expected to be supported, both versions can be advertised, in order of preference - ‘client_ca_file’ (replaces ha_proxy.client_ca_file) - ‘verify’ (allowed values: [none|optional|required]) - ‘ssl_ciphers’ (overrides ha_proxy.ssl_ciphers) - ‘ssl_ciphersuites’ (overrides ha_proxy.ssl_ciphersuites) - ‘ssl_min_version’ (allowed values: [SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3]) - ‘ssl_max_version’ (allowed values: [SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3]) - ‘client_revocation_list’ (replaces ha_proxy.client_revocation_list) - ‘snifilter’ (either a string or an array of strings) The global option ha_proxy.client_cert has to be set to ‘true’, if there are crt_list entries with mutual auth configuration (‘client_ca_file’, ‘client_revocation_list’ and ‘verify’!=‘none’) To avoid confusing configurations, it’s not allowed to specify ‘client_ca_file’ and ‘client_revocation_list’ both globally AND in crt_list entries.

Example
crt_list:
- ssl_pem: |+
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
- alpn:
  - h2
  - http/1.1
  client_ca_file: |+
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  client_revocation_list: |+
    -----BEGIN X509 CRL-----
    -----END X509 CRL-----
    -----BEGIN X509 CRL-----
    -----END X509 CRL-----
  snifilter:
  - '*.domain.tld'
  - '!secure.domain.tld'
  ssl_ciphers: AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
  ssl_ciphersuites: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  ssl_max_version: TLSv1.3
  ssl_min_version: TLSv1.2
  ssl_pem:
    cert_chain: |+
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
    private_key: |+
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----
  verify: required

custom_http_error_files

A map of status codes to errorfile contents

Default
  "503": |+
    HTTP/1.1 503 Service Unavailable
    Cache-Control: no-cache
    Connection: close
    Content-Type: text/html
  
    <html><body><h1>503 Service Unavailable</h1>
    No server is available to handle this request.
    </body></html>

default_config

A block of raw HAProxy config that will be added to the HA proxy default section

default_dh_param

Maximum size of DH params when generating epmehmeral keys during key exchange

Default
2048

disable_backend_http2_websockets

Forward websockets to the backend servers using HTTP/1.1, never HTTP/2. Does not apply to custom routed_backend_servers. Works around https://github.com/cloudfoundry/routing-release/issues/230. Overrides backend_match_http_protocol for websockets.

Default
false

disable_domain_fronting

Must be one of true, false, or “mtls_only” If set to true, it will prevent clients from setting a host header different from the SNI value for HTTPS and WSS (secured websockets) connections. This is called domain fronting and is mostly used by CDNs. If domain fronting is disabled, such requests will result in a 421 Misdirected Request error. If set to “mtls_only”, the host header will only be checked against the SNI for mtls connections Example curl -H “Host: bob.com” https://alice.com <– This will result in a 421 Misdirected Request

Default
false

disable_http

Disable port 80 traffic

Default
false

disable_monit_health_check_http

The HAProxy health check endpoint returns a healthy status if at least one backend server is responding. By default when enable_health_check_http: true, Bosh will consider the HAProxy VM unhealthy if the HAProxy health check returns an unhealthy status. In some cases this might not be desired, for example when deploying HAProxy before deploying the backend servers. To prevent Bosh from considering the HAProxy VM unhealthy when all backend servers are unhealthy set disable_monit_health_check_http: true. Note that this flag is ignored unless enable_health_check_http: true.

Default
false

disable_tcp_accept_proxy

Disables the PROXY protocol on tcp backends. Only applies if ha_proxy.accept_proxy is enabled.

Default
false

disable_tls_10

Disable TLS 1.0 in HA Proxy

Default
false

disable_tls_11

Disable TLS 1.1 in HA Proxy

Default
false

disable_tls_12

Disable TLS 1.2 in HA Proxy

Default
false

disable_tls_13

Disable TLS 1.3 in HA Proxy

Default
false

disable_tls_tickets

Improve (Perfect) Forward Secrecy by disabling TLS tickets

Default
true

dns_hold

DNS Hold time

Default
10s

drain_enable

Send SIGUSR1 signal to all haproxy processes in a drain script in order to gracefully shutdown

Default
false

drain_frontend_grace_time

Time in seconds after health checks have been shut down until SIGUSR1 signal is sent to make the frontends stop accepting connections

Default
0

drain_timeout

Time in seconds after SIGUSR1 signal is sent in the drain script until monit stops the processes

Default
30

enable_4443

Enables port 4443 for backwards compatibility with WSS-based apps using the old CF haproxy. If true you must provide a valid SSL config via ssl_pem or crt_list

Default
false

enable_health_check_http

Optionally enable http health-check on haproxy_ip:8080/health. It shows 200 OK if >0 backend servers are up. If used with ext_crt_list_timeout you should make sure that the deployment canary_watch_time and update_watch_time are configured to wait at least the number of seconds defined by ext_crt_list_timeout.

Default
false

enable_http2

Enables ingress (frontend) and egress (backend) HTTP/2 ALPN negotiation. Egress (backend) HTTP protocol version may be overridden by ha_proxy.backend_ssl, ha_proxy.disable_backend_http2_websockets and ha_proxy.backend_match_http_protocol.

Default
false

ext_crt_list

A flag denoting the use of additional certificates from external sources. If set to true the contents of an external crt-list file located at ha_proxy.ext_crt_list_file are added to the crt-list described by the ha_proxy.crt_list property. Please be aware that reloading external certificates does only work if haproxy is started in daemon mode. So this feature does not work if “haproxy.syslog_server” is set to “stdout”. If using this feature but not using internal certs, you should set ha_proxy.crt_list to be an empty array

Default
false

ext_crt_list_file

The location from which to load additional external certificates list

Default
/var/vcap/jobs/haproxy/config/ssl/ext/crt-list

ext_crt_list_policy

What to do if the external certificates list located at ha_proxy.ext_crt_list_file does not appear within the time denoted by ha_proxy.ext_crt_list_timeout. Set to either ‘fail’ (HAproxy will not start) or ‘continue’ (HAproxy will start without external certificates)

Default
fail

ext_crt_list_timeout

Timeout (in seconds) to wait for the external certificates list located at ha_proxy.ext_crt_list_file to appear during HAproxy startup

Default
60

forwarded_client_cert

This option lets you decide how to handle the X-Forwarded-Client-Cert (XFCC) http header on any https frontend. On http frontends the always_forward_only option is active by default and can’t be changed. On https frontends your options are:

  • always_forward_only: Least secure option. Always forward the X-Forwarded-Client-Cert header in the request, regardless of whether the client connection is mTLS. The following headers will also be forwarded if they are present in the original request: X-SSL-Client, X-SSL-Client-Session-ID, X-SSL-Client-Verify, X-SSL-Client-Subject-DN, X-SSL-Client-Subject-CN, X-SSL-Client-Issuer-DN, X-SSL-Client-NotBefore, X-SSL-Client-NotAfter. Use this value when your load balancer is forwarding the client certificate and requests are not forwarded to HAProxy over mTLS. In the case where the connection between load balancer and HAProxy is mTLS, the client certificate received by HAProxy in the mTLS handshake will not be forwarded.

  • forward_only: Secure version of always_forward_only. Forward the X-Forwarded-Client-Cert header received from the client only when the client connection is mTLS. The following headers will also be forwarded for mTLS connections if they are present in the original request: X-SSL-Client, X-SSL-Client-Session-ID, X-SSL-Client-Verify, X-SSL-Client-Subject-DN, X-SSL-Client-Subject-CN, X-SSL-Client-Issuer-DN, X-SSL-Client-NotBefore, X-SSL-Client-NotAfter. If the client connection does not use mTLS, these X-Forwarded-Client-Cert and X-SSL-Client-* headers will be removed if they are present. In the case where the connection between load balancer and HAProxy is mTLS, the client certificate received by HAProxy in the mTLS handshake will not be forwarded.

  • sanitize_set: Most secure option. Strip any instances of XFCC headers from the client request.

    When the client connection is mTLS, the following headers will be overwritten in the request

    • X-Forwarded-Client-Cert: Contains the client certificate in binary DER format (Base64 encoded). Backends should use this header to authenticate incoming requests.

    • X-SSL-Client: Contains the number 1 if the request was made using a client certificate, 0 otherwise. For easy checks on the backend.

    • X-SSL-Client-Session-ID: The SSL session ID of the client connection. Useful for debugging purposes.

    • X-SSL-Client-Verify: Contains the number 0 if the client certificate verification was successful. Otherwise it contains the appropriate OpenSSL return code (see https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in#L206)

    • X-SSL-Client-Subject-DN: Contains the base64-encoded subject distinguished name of the client certificate

    • X-SSL-Client-Subject-CN: Contains the base64-encoded subject common name of the client certificate

    • X-SSL-Client-Issuer-DN: Contains the base64-encoded issuer distinguished name of the client certificate

    • X-SSL-Client-NotBefore: Contains the start date of the client certificate in YYMMDDhhmmss[Z] format.

    • X-SSL-Client-NotAfter: Contains the expiration date of the client certificate in YYMMDDhhmmss[Z] format.

  • forward_only_if_route_service: This option is useful to support Mutual TLS with CF Route Services. When the client connection is not mTLS, the X-Forwarded-Client-Cert and X-SSL-Client-* headers will be removed UNLESS there is an X-Cf-Proxy-Signature header. When the client connection is mTLS, the following headers will be overwritten in the request

    • X-Forwarded-Client-Cert: Contains the client certificate in binary DER format (Base64 encoded). Backends should use this header to authenticate incoming requests.

    • X-SSL-Client: Contains the number 1 if the request was made using a client certificate, 0 otherwise. For easy checks on the backend.

    • X-SSL-Client-Session-ID: The SSL session ID of the client connection. Useful for debugging purposes.

    • X-SSL-Client-Verify: Contains the number 0 if the client certificate verification was successful. Otherwise it contains the appropriate OpenSSL return code (see https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in#L206)

    • X-SSL-Client-Subject-DN: Contains the base64-encoded subject distinguished name of the client certificate

    • X-SSL-Client-Subject-CN: Contains the base64-encoded subject common name of the client certificate

    • X-SSL-Client-Issuer-DN: Contains the base64-encoded issuer distinguished name of the client certificate

    • X-SSL-Client-NotBefore: Contains the start date of the client certificate in YYMMDDhhmmss[Z] format.

    • X-SSL-Client-NotAfter: Contains the expiration date of the client certificate in YYMMDDhhmmss[Z] format.

    This option is only secure if Gorouter is deployed behind Haproxy to validate that X-Cf-Proxy-Signature is coming from a route service.

Default
sanitize_set

frontend_config

A block of raw HAProxy config that will be added to each HA proxy frontend definition

global_config

A block of raw HAProxy config that will be added to the HA proxy global section

headers

Hash of custom headers you wish you have set on each request. Spaces are automatically escaped, but any other haproxy delimiters will need to be escaped manually

Example
|+
  headers:
    X-Application-ID: my-custom-header
    MyCustomHeader: 3

health_check_port

port for http health-check

Default
8080

hsts_enable

Enables HSTS(Strict-Transport-Security Header) for all the SSL/TLS listeners

Default
false

hsts_include_subdomains

This enables the includeSubDomains flag for HSTS.

Default
false

hsts_max_age

max-age value for the Strict-Transport-Security header

Default
3.1536e+07

hsts_preload

This enables the preload flag for HSTS

Default
false

http_request_deny_conditions

List of conditions to block http requests. Each condition consists of multiple rules combined with the AND operator. Setting the negate flag to true will negate the acl condition.

Example
http_request_deny_conditions:
- condition:
  - acl_name: block_host
    acl_rule: hdr_beg(host) -i login
  - acl_name: block_reset_password_url
    acl_rule: path_beg,url_dec -m beg -i /reset_password
  - acl_name: whitelist_ips
    acl_rule: src 5.22.5.11 5.22.5.12
    negate: true

https_redirect_all

If this is set to ‘true’, a https redirect rule for all http calls will be put in the config file

Default
false

https_redirect_domains

For each domain in this array, a HTTPS redirect rule will be put in the config file. Redirect will be applied for all subdomains

Default
[]

internal_only_domains

Array of domains for internal-only apps/services (not hostnames for the apps/services)

Default
[]

keepalive_timeout

Timeout (in floating point seconds) applied to any connection that is in an http-keepalive state, waiting for the next request to occur

Default
6

legacy_xfcc_header_mapping

Default
false

log_format

The log format used when generating syslog messages.

Default
raw

log_level

Log level

Default
info

log_max_length

Optional maximum line length. Log lines larger than this value will be truncated before being sent.

Default
1024

lua_scripts

A list of LUA scripts that HA Proxy should load. These will need to be provided by other boshreleases, as none are supplied in haproxy_boshrelease. Specify each script with the full path to the script (likely /var/vcap/packages/something/something/darkside.lua)

Inside these scripts, any variable set is visible from any thread. This is the easiest and recommended way to load Lua programs but it will not scale well if a lot of Lua calls are performed, as only one thread may be running on the global state at a time. A program loaded this way will always see 0 in the “core.thread” variable. This directive can be used multiple times.

Default
[]

lua_scripts_per_thread

A list of LUA scripts that HA Proxy should load per thread. These will need to be provided by other boshreleases, as none are supplied in haproxy_boshrelease. Specify each script with the full path to the script (likely /var/vcap/packages/something/something/darkside.lua).

Inside these scripts, any global variable has a thread-local visibility so that each thread could see a different value. As such it is strongly recommended not to use global variables in programs loaded this way. An independent copy is loaded and initialized for each thread, everything is done sequentially and in the thread’s numeric order from 1 to nbthread. If some operations need to be performed only once, the program should check the “core.thread” variable to figure what thread is being initialized. Programs loaded this way will run concurrently on all threads and will be highly scalable. This is the recommended way to load simple functions that register sample-fetches, converters, actions or services once it is certain the program doesn’t depend on global variables. For the sake of simplicity, the directive is available even if only one thread is used and even if threads are disabled (in which case it will be equivalent to lua_scripts).

Default
[]

master_cli_bind

IP and port or UNIX socket to bind master CLI to

Default
127.0.0.1:9001

master_cli_enable

If true, enables the master CLI which can be used to manage HAProxy

Default
false

max_connections

Number of simultaneous connections HAProxy supports handling

Default
64000

max_open_files

The number of file descriptors HAProxy can have open at one time

Default
256000

max_rewrite

Buffer size to use for header rewriting or appending. The default of haproxy is min(1024,buffer_size_bytes/2). Will be set to buffer_size_bytes/2 by haproxy if it is set to a larger value

nbthread

Optional number of threads per VM

Default
1

queue_timeout

Timeout (in floating point seconds) used on any connection sitting in the pending queue, waiting to be sent to the backend, to limit its time being queued

Default
30

raw_config

A multiline text blob of an entire haproxy config. Overrides every other option available, so you can provide your own config, and do whatever you want. Use at your own risk.

reload_hard_stop_after

Defines the maximum time allowed to perform a clean soft-stop. This is used when issuing a reload via the “bin/reload” script. It limits the time for the old instance to finish existing connections before the instance is stopped.

Default
5m

reload_idle_close_on_response

This option makes HAproxy wait for another request on idle connections during reloads or restarts. Once the response is received, a “Connection: close” header is injected to signal to the client that this connection no longer usable and permitting a more graceful handling on the client’s side. This has the downside that HAproxy may linger around for longer, waiting for a request on idle connections, so it should be used in conjunction with the “reload_hard_stop_after” option to limit that time. If set to false, idle connections will be terminated immediately during reloads or restarts.

Default
true

reload_max_instances

Sets the maximum number of instances to exist at the same time. In conjunction with “reload_hard_stop_after” this limits the number of reloads that can occur during a given period of time. Set this to the number of instances your machine can fit into memory at a time, minus a safety buffer. Set to 0 for no limit.

Default
4

request_timeout

Timeout (in floating point seconds) applied to any connection to limit the maximum time for a complete HTTP request (headers only). Used to limit DoS attacks that send data slowly to not trigger the client/server timeouts

Default
5

requests_rate_limit

block

Whether or not to block requests. See docs/rate_limiting.md

Default
false
requests

How many requests are allowed in the given time window from one IP address. See docs/rate_limiting.md

table_size

Size of the stick table in which the IPs and counters are stored. See docs/rate_limiting.md

window_size

Window size for counting requests. See docs/rate_limiting.md

resolve_retries

Number of dns queries to send to resolve a server name before giving up

Default
3

resolve_retry_timeout

Timeouts related to resolver name resolution

Default
1s

resolvers

List of DNS servers

Example
resolvers:
- private: 10.0.0.2
- public: 8.8.8.8

routed_backend_servers

Hash of the URL prefixes -> array of the router IPs acting as the HTTP/TCP backends (should include servers all Availability Zones being used)

Default
{}
Example
routed_backend_servers:
  /images:
    additional_acls:
    - method GET
    backend_health_fall: 3
    backend_health_rise: 2
    backend_http_health_port: 80
    backend_http_health_uri: /health
    backend_ssl: verify
    backend_use_http_health: true
    backend_verifyhost: example.com
    port: 4443
    servers:
    - 10.0.0.2
    - 10.0.0.3

rsp_headers

Hash of custom headers you wish you have set on each request. Spaces are automatically escaped, but any other haproxy delimiters will need to be escaped manually

Example
|+
  rsp_headers:
    X-Application-ID: my-custom-header
    MyCustomHeader: 3

server_timeout

Timeout (in floating point seconds) used on connections from haproxy to a backend, while waiting for data from the backend

Default
30

ssl_ciphers

List of TLSv<=1.2 Ciphers for that are passed to HAProxy

Default
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

ssl_ciphersuites

List of TLSv1.3 Ciphers that are passed to HAProxy, requires at least openssl version 1.1.1

Example
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

ssl_pem

Array of private keys and certificates used for TLS handshakes with downstream clients. Each element in the array is an object containing fields ‘cert_chain’ and ‘private_key’, each of which supports a PEM block. Each element can also be a single string containing the cert chain and the private key.

Example
ssl_pem:
- cert_chain: |+
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
  private_key: |+
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
- |+
  -----BEGIN CERTIFICATE-----
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  -----END CERTIFICATE-----
  -----BEGIN RSA PRIVATE KEY-----
  -----END RSA PRIVATE KEY-----

stats_bind

Define listening address and port for the stats frontend. If multithreading is enabled (ha_proxy.threads > 1) multiple stat pages are available - one for each thread. You can see the stat page for each thread on a separate port - starting at the defined port number.

Default
'*:9000'

stats_enable

If true, haproxy will enable a socket for stats. You can see the stats on haproxy_ip:9000/haproxy_stats. If multithreading is enabled (ha_proxy.threads > 1) haproxy will create a separate socket and stat page for each thread. Each stat page is reachable on a different port ranging from 9000 to 9000 + ha_proxy.threads - 1.

Default
false

stats_password

Password to authenticate haproxy stats

stats_uri

URI used to access the stats UI.

Default
haproxy_stats

stats_user

User name to authenticate haproxy stats

strict_sni

Optional setting to decide whether the SSL/TLS negotiation is allowed only if the client provided an SNI which strict match a certificate. If set to true, the default certificate is not used

Default
false

syslog_server

An IPv4 address optionally followed by a colon and a UDP port. It can also be an IPv6 address or filesystem path to a UNIX domain socket.

Default
stdout

tcp

List of mappings to perform tcp-based proxying on. See example for mapping datastructure and keys

Default
[]
Example
tcp:
- backend_port: 80
  backend_servers:
  - 10.20.10.10
  - 10.20.10.11
  backend_servers_local:
  - 10.20.10.10
  backend_ssl: verify
  backend_verifyhost: example.com
  balance: roundrobin
  health_check_http: 4444
  name: wss
  port: 4443
  ssl: true

tcp_backend_config

A block of raw HAProxy config that will be added to the CF TCP Router + Generic TCP backend definitions

Optional port for tcp_backend health checks. Will use ha_proxy.tcp_link_port if not set.

Optional port for http health check when using the tcp_backend link.

Port haproxy should listen on when using the tcp_backend link

tcp_routing

port_range

A range of ports for haproxy to listen on to enable CF TCP Routing. Used only if ‘tcp_router’ link is present.

Default
1024-1123

trusted_domain_cidrs

Space separated trusted cidr blocks for internal_only_domains. You may alternatively provide a base64-encoded gzipped HAProxy cidr file, with each CIDR on a new line.

Default
0.0.0.0/32

trusted_stats_cidrs

Trusted ip range that can access the stats UI

Default
0.0.0.0/32

v4v6

Boolean, disabled by default. Enables binding to all IPv4 and IPv6 interfaces. Only applies if ha_proxy.binding_ip is set to ::.

Default
false

websocket_timeout

Timeout (in floating point seconds) used on websocket/tunnel traffic, when both ends of the conversation have become inactive

Default
3600

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/haproxy/ directory (learn more).

  • bin/drain (from drain.erb)
  • bin/haproxy_wrapper (from haproxy_wrapper.erb)
  • bin/pre-start (from pre-start.erb)
  • bin/reload (from reload.erb)
  • config/backend-ca-certs.pem (from backend-ca-certs.erb)
  • config/backend-crt.pem (from backend-crt.erb)
  • config/blacklist_cidrs.txt (from blacklist_cidrs.txt.erb)
  • config/bpm.yml (from bpm.yml)
  • config/certs.ttar (from certs.ttar.erb)
  • config/cidrs.ttar (from cidrs.ttar.erb)
  • config/client-ca-certs.pem (from client-ca-certs.erb)
  • config/client-revocation-list.pem (from client-revocation-list.erb)
  • config/haproxy.config (from haproxy.config.erb)
  • config/ssl_redirect.map (from ssl_redirect.map.erb)
  • config/trusted_domain_cidrs.txt (from trusted_domain_cidrs.txt.erb)
  • config/whitelist_cidrs.txt (from whitelist_cidrs.txt.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.