haproxy基本配置

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    maxconn     4000
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    nbproc 1                 #启动1个haproxy实例

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048

defaults
    log global
    mode    http
    option  httplog
    option  redispatch
    option  dontlognull
    #option  forwardfor   #将客户端真实ip加到HTTP Header中供��务器读取
    option  abortonclose #当服务器负载很高时，自动结束掉当前队列中处理比较久的链接
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

listen stats
    bind 0.0.0.0:1080
    mode http
    option httplog
    log global
    stats enable
    stats refresh 30s
    stats uri /admin?stats
    stats realm Private lands
    stats auth admin:admin
    stats hide-version
    stats admin if TRUE

frontend http_80_in
    #bind 0.0.0.0:80
    bind *:80
    mode http
    option httpclose
    option forwardfor   #将客户端真实ip加到HTTP Header中供��务器读取
    option forwardfor header X-Client-IP  # 将xff的ip转成获取客户端一手ip，只对代理有效
    option forwardfor header X-Real-IP  # 转发real_ip值
    option http-server-close

    # 修改路径转发
    acl img_host hdr(host) -i img.test.com
    reqirep  ^([^\ ]*)\ /(.*) \1\ /img/\2  if img_host
    redirect prefix  https://s3.cn-north-1.amazonaws.com.cn if img_host

    # https
    acl app_letsencrypt path_beg /.well-known/acme-challenge/
    use_backend letsencrypt_backend if app_letsencrypt

    # 单域名和泛域名匹配
    acl test_host hdr(host) -i www.test.com
    acl test_end_host hdr_end(host) -i .test.cn
    use_backend logic-http if test_host or test_end_host

    default_backend logic-http

frontend https
  　# 多ssl key
    bind *:443 ssl crt /etc/ssl/haproxy-certs/www.test.com.pem crt /etc/ssl/haproxy-certs/www.test.cn.pem
    mode http
    reqadd X-Forwarded-Proto:\ https
    option httpclose
    option forwardfor  
    option http-server-close
    capture request header Host len 255
    capture request header User-Agent len 255
    capture request header Referer len 255
    capture request header Cookie len 255

    acl test_host hdr(host) -i www.test.com www.test.cn
    use_backend logic-http if test_host

backend per-ip
    stick-table type ip size 50k expire 120m store gpc0,http_req_rate(1s)

backend logic-http 
    balance roundrobin
    cookie SERVERID

    # IP请求限制
    tcp-request content track-sc2 src table per-ip
    acl bruteforce_detection sc2_http_req_rate gt 1
    http-request deny if bruteforce_detection

    server logic-01 172.31.1.2:80 check inter 2000 rise 3 fall 3 weight 1
    server logic-02 172.31.1.3:80 check inter 2000 rise 3 fall 3 weight 1

backend letsencrypt_backend
    http-request set-header Host letsencrypt.requests
    dispatch 127.0.0.1:8000