senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/config/haproxy/haproxy.cfg
senke b657776892 fix(infra): HAProxy HTTPS and stats security 
P1.1 - Enable HTTPS in HAProxy for production:
- HTTP to HTTPS redirect (301)
- HTTPS frontend on port 443 with veza.pem
- config/ssl/ structure with README and generate-ssl-cert.sh
- docker-compose.prod.yml volume for certs

P1.3 - Restrict HAProxy stats to internal network:
- ACL from_internal (127.0.0.1, 172.20.0.0/16)
- stats admin if from_internal

Also: remove errorfile directives (use HAProxy built-in defaults)
2026-02-15 15:58:51 +01:00

111 lines
3.3 KiB
INI
Raw Blame History

global
log stdout format raw local0
maxconn 4096
daemon
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout http-request 10000ms
# ============================================================================
# STATS & MONITORING (P1.3: restricted to internal network)
# ============================================================================
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 30s
acl from_internal src 127.0.0.1 172.20.0.0/16
stats admin if from_internal
# ============================================================================
# HTTP FRONTEND (Port 80)
# ============================================================================
frontend http_frontend
bind *:80
mode http
# P1.1: Redirect HTTP to HTTPS in production
redirect scheme https code 301 if !{ ssl_fc }
# ACLs for routing
acl is_api path_beg /api/v1
acl is_ws path_beg /ws
acl is_stream path_beg /stream
acl is_web path_beg /
# Route to appropriate backend
use_backend backend_api if is_api
use_backend chat_ws if is_ws
use_backend stream_ws if is_stream
use_backend web_frontend if is_web
# ============================================================================
# HTTPS FRONTEND (Port 443) - P1.1: Production HTTPS
# Certificates from config/ssl/ mounted at /etc/ssl/veza/
# ============================================================================
frontend https_frontend
bind *:443 ssl crt /etc/ssl/veza/veza.pem
mode http
# ACLs for routing
acl is_api path_beg /api/v1
acl is_ws path_beg /ws
acl is_stream path_beg /stream
acl is_web path_beg /
# Route to appropriate backend
use_backend backend_api if is_api
use_backend chat_ws if is_ws
use_backend stream_ws if is_stream
use_backend web_frontend if is_web
# ============================================================================
# BACKENDS
# ============================================================================
# Backend API (Go)
backend backend_api
mode http
balance roundrobin
option httpchk GET /api/v1/health
http-check expect status 200
server backend1 backend-api:8080 check inter 5s fall 3 rise 2
# Add more servers for load balancing:
# server backend2 backend-api-2:8080 check inter 5s fall 3 rise 2
# Chat WebSocket (Rust)
backend chat_ws
mode http
balance roundrobin
option httpchk GET /health
http-check expect status 200
server chat1 chat-server:3000 check inter 5s fall 3 rise 2
# WebSocket specific options
timeout tunnel 3600s
# Stream WebSocket (Rust)
backend stream_ws
mode http
balance roundrobin
option httpchk GET /health
http-check expect status 200
server stream1 stream-server:3001 check inter 5s fall 3 rise 2
# WebSocket specific options
timeout tunnel 3600s
# Web Frontend (React/Vite)
backend web_frontend
mode http
balance roundrobin
option httpchk GET /
http-check expect status 200
server web1 web:5173 check inter 5s fall 3 rise 2
# Add more servers for load balancing:
# server web2 web-2:5173 check inter 5s fall 3 rise 2
Reference in a new issue View git blame Copy permalink