ansible/files/fedora-cloud/haproxy.cfg

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    tune.ssl.default-dh-param 1024
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK


#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#frontend keystone_public *:5000
#  default_backend keystone_public
#frontend keystone_admin *:35357
#  default_backend keystone_admin
frontend neutron
  bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend neutron
  # HSTS (15768000 seconds = 6 months)
  rspadd  Strict-Transport-Security:\ max-age=15768000

frontend cinder
  bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend cinder
  # HSTS (15768000 seconds = 6 months)
  rspadd  Strict-Transport-Security:\ max-age=15768000

frontend swift
  bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend swift
  # HSTS (15768000 seconds = 6 months)
  rspadd  Strict-Transport-Security:\ max-age=15768000

frontend nova
  bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend nova
  # HSTS (15768000 seconds = 6 months)
  rspadd  Strict-Transport-Security:\ max-age=15768000

frontend ceilometer
  bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend ceilometer
  # HSTS (15768000 seconds = 6 months)
  rspadd  Strict-Transport-Security:\ max-age=15768000

frontend ec2
  bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend ec2
  # HSTS (15768000 seconds = 6 months)
  rspadd  Strict-Transport-Security:\ max-age=15768000

frontend glance
  bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fedorainfracloud.org.combined
  default_backend glance
  # HSTS (15768000 seconds = 6 months)
  rspadd  Strict-Transport-Security:\ max-age=15768000

backend neutron
  server neutron 127.0.0.1:8696 check

backend cinder
  server cinder 127.0.0.1:6776 check

backend swift
  server swift 127.0.0.1:7080 check

backend nova
  server nova 127.0.0.1:6774 check

backend ceilometer
  server ceilometer 127.0.0.1:6777 check

backend ec2
  server ec2 127.0.0.1:6773 check

backend glance
  server glance 127.0.0.1:7292 check

backend keystone_public
  server keystone_public 127.0.0.1:5000 check

backend keystone_admin
  server keystone_admin 127.0.0.1:35357 check