haproxy job from haproxy/8.1.1

The HAProxy server can be used to terminate SSL in front of the Routers. Each HAProxy instance should point to multiple Routers.

Github source: 1f1054c8 or master branch

Properties¶

ha_proxy¶

accept_proxy¶

Allow accept proxy

Default

false

backend_ca_file¶

Optional SSL CA certificate chain (PEM file) concatenated together for backend SSL servers, only used when one of the backend_ssl options is set to verify

backend_port¶

Listening port for Router

Default

80

backend_servers¶

Array of the router IPs acting as the HTTP/TCP backends (should include servers all Availability Zones being used)

Default

[]

backend_ssl¶

Optionally enable SSL verification for backend servers, one of verify, noverify, any other value assumes no ssl backend. Setting verify requires ha_proxy.backend_ca_file key to be set.

Default

"off"

backend_ssl_verifyhost¶

Optional hostname to verify in the x509 certificate subject for SSL-enabled backend servers. Requires ha_proxy.backend_ssl is set to verify when using this.

client_timeout¶

Timeout waiting for data from a client (in seconds)

Default

30

compress_types¶

If this property is set, gzip compression will be activated for the mime types named in this property. definition like ‘text/html text/plain text/css’

Default

""

connect_timeout¶

Timeout waiting for connections to establish to a server (in seconds)

Default

5

default_dh_param¶

Maximum size of DH params when generating epmehmeral keys during key exchange

Default

2048

disable_http¶

Disable port 80 traffic

Default

false

disable_tls_tickets¶

Improve (Perfect) Forward Secrecy by disabling TLS tickets

Default

true

dns_hold¶

DNS Hold time

Default

10s

enable_4443¶

Enables port 4443 for backwards compatibility with WSS-based apps using the old CF haproxy

Default

false

headers¶

Hash of custom headers you wish you have set on each request. Spaces are automatically escaped, but any other haproxy delimiters will need to be escaped manually

Example

|+
  headers:
    X-Application-ID: my-custom-header
    MyCustomHeader: 3

hsts_enable¶

Enables HSTS(Strict-Transport-Security Header) for all the SSL/TLS listeners

Default

false

hsts_include_subdomains¶

This enables the includeSubDomains flag for HSTS.

Default

false

hsts_max_age¶

max-age value for the Strict-Transport-Security header

Default

3.1536e+07

hsts_preload¶

This enables the preload flag for HSTS

Default

false

https_redirect_all¶

If this is set to ‘true’, a https redirect rule for all http calls will be put in the config file

Default

false

https_redirect_domains¶

For each domain in this array, a HTTPS redirect rule will be put in the config file. Redirect will be applied for all subdomains

Default

[]

internal_only_domains¶

Array of domains for internal-only apps/services (not hostnames for the apps/services)

Default

[]

keepalive_timeout¶

Timeout waiting for new HTTP requests under http keep-alive mode (in seconds)

Default

1

log_level¶

Log level

Default

info

queue_timeout¶

Timeout for requests queued waiting for free connection slots (in seconds)

Default

30

request_timeout¶

Maximum HTTP request length (in seconds)

Default

30

resolvers¶

List of DNS servers

Example

resolvers:
  private: 10.0.0.2
  public: 8.8.8.8

routed_backend_servers¶

Hash of the URL prefixes -> array of the router IPs acting as the HTTP/TCP backends (should include servers all Availability Zones being used)

Default

{}

Example

routed_backend_servers:
  /images:
    backend_ssl: verify
    backend_verifyhost: example.com
    port: 4443
    servers:
    - 10.0.0.2
    - 10.0.0.3

rsp_headers¶

Hash of custom headers you wish you have set on each request. Spaces are automatically escaped, but any other haproxy delimiters will need to be escaped manually

Example

|+
  rsp_headers:
    X-Application-ID: my-custom-header
    MyCustomHeader: 3

server_timeout¶

Timeout waiting for data from a server (in seconds)

Default

30

ssl_ciphers¶

List of SSL Ciphers that are passed to HAProxy

Default

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

ssl_pem¶

SSL certificate (PEM file), or an array of SSL certificates (PEM files)

stats_bind¶

Define one or several listening addresses and/or ports in a frontend.

Default

'*:9000'

stats_enable¶

If true, haproxy will enable a socket for stats. You can see the stats on haproxy_ip:9000/haproxy_stats

Default

false

stats_password¶

Password to authenticate haproxy stats

stats_uri¶

URI used to access the stats UI.

Default

haproxy_stats

stats_user¶

User name to authenticate haproxy stats

syslog_server¶

An IPv4 address optionally followed by a colon and a UDP port. It can also be an IPv6 address or filesystem path to a UNIX domain socket.

Default

127.0.0.1

tcp¶

List of mappings to perform tcp-based proxying on. See example for mapping datastructure and keys

Default

[]

Example

tcp:
- backend_port: 80
  backend_servers:
  - 10.20.10.10
  - 10.20.10.11
  backend_ssl: verify
  backend_verifyhost: example.com
  name: wss
  port: 4443
  ssl: true

tcp_link_port¶

Port haproxy should listen on when using the tcp_backend link

trusted_domain_cidrs¶

Space separated trusted cidr blocks for internal_only_domains

Default

0.0.0.0/32

trusted_stats_cidrs¶

Trusted ip range that can access the stats UI

Default

0.0.0.0/32

websocket_timeout¶

Timeout for websocket/tunnel traffic (in seconds)

Default

3600

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/haproxy/ directory (learn more).

• bin/haproxy_ctl (from haproxy_ctl)
• bin/monit_debugger (from monit_debugger)
• config/backend-ca-certs.pem (from backend-ca-certs.erb)
• config/certs.ttar (from certs.ttar.erb)
• config/haproxy.config (from haproxy.config.erb)
• config/ssl_redirect.map (from ssl_redirect.map.erb)
• data/properties.sh (from properties.sh.erb)
• helpers/ctl_setup.sh (from helpers/ctl_setup.sh)
• helpers/ctl_utils.sh (from helpers/ctl_utils.sh)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

• haproxy
• ttar