global maxconn 100000 daemon ca-base /srv/newsblur/config/certificates crt-base /srv/newsblur/config/certificates tune.bufsize 32000 tune.maxrewrite 8196 tune.ssl.default-dh-param 2048 log 127.0.0.1 local0 notice log 127.0.0.1 local1 info resolvers consul nameserver consul 127.0.0.1:53 accepted_payload_size 8192 # allow larger DNS payloads defaults log global maxconn 100000 mode http option forwardfor option http-server-close option httpclose option log-health-checks option log-separate-errors option httplog option redispatch option abortonclose timeout connect 10s timeout client 10s timeout server 30s timeout tunnel 1h retries 3 errorfile 502 /srv/newsblur/templates/502.http errorfile 503 /srv/newsblur/templates/502.http errorfile 504 /srv/newsblur/templates/502.http # balance roundrobin frontend public bind :80 bind :443 ssl crt /srv/newsblur/config/certificates/newsblur.com.pem ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 http-response add-header Strict-Transport-Security max-age=0;\ includeSubDomains option http-server-close acl gunicorn_dead nbsrv(app_django) lt 1 acl nginx_dead nbsrv(nginx) lt 1 acl mx_mode nbsrv(maintenance) lt 1 acl is_unread_count url_beg /reader/feed_unread_count acl is_discover url_beg /rss_feeds/discover acl is_refresh_feeds url_beg /reader/refresh_feed acl is_original_text url_beg /rss_feeds/original_text acl is_river url_beg /reader/river_stories acl is_automated_river urlp(h) -m found acl is_dashboard url_param(dashboard) -i true monitor-uri /status monitor fail if gunicorn_dead monitor fail if nginx_dead monitor fail if mx_mode # Redirect all HTTP traffic to HTTPS acl is_root path / redirect scheme https if is_root !{ ssl_fc } use_backend app_push if { hdr_end(host) -i push.newsblur.com } use_backend node_socket if { path_beg /v3/socket.io/ } use_backend node_favicons if { path_beg /rss_feeds/icon/ } use_backend node_text if { path_beg /rss_feeds/original_text_fetcher } use_backend node_images if { hdr_end(host) -i imageproxy.newsblur.com } use_backend node_images if { hdr_end(host) -i imageproxy2.newsblur.com } use_backend node_page if { path_beg /original_page/ } use_backend blog if { hdr_end(host) -i blog.newsblur.com } use_backend sentry if { hdr_end(host) -i sentry.newsblur.com } use_backend forum if { hdr_end(host) -i forum.newsblur.com } use_backend forum if { hdr_end(host) -i forum2.newsblur.com } use_backend forum if { hdr_end(host) -i forum3.newsblur.com } use_backend nginx if { path_beg /media/ } use_backend nginx if { path_beg /static/ } use_backend nginx if { path_beg /favicon } use_backend nginx if { path_beg /crossdomain/ } use_backend nginx if { path_beg /robots } use_backend metrics if { path_beg /metrics } #use_backend self if { path_beg /munin/ } use_backend db_metrics if { hdr_end(host) -i metrics.newsblur.com } use_backend consul_manager if { hdr_end(host) -i consul.newsblur.com } use_backend nginx if mx_mode use_backend app_count if is_unread_count use_backend app_count if is_discover use_backend app_refresh if is_refresh_feeds use_backend app_refresh if is_dashboard use_backend app_refresh if is_original_text use_backend app_refresh if is_river is_automated_river use_backend app_django unless gunicorn_dead || nginx_dead backend nginx option httpchk GET /_nginxchk http-check expect rstatus 200|503 default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hweb %} server nginx-{{host}} {{host}}.node.nyc1.consul:80 {% endfor %} backend app_django option httpchk GET /_haproxychk default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hdjango %} server {{host}} {{host}}.node.nyc1.consul:8000 {% endfor %} backend app_count balance roundrobin option httpchk GET /_haproxychk default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hcount %} server {{host}} {{host}}.node.nyc1.consul:8000 {% endfor %} # server-template app-counts 1 _app-counts._tcp.service.nyc1.consul:8000 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none backend app_refresh balance roundrobin option httpchk GET /_haproxychk default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hrefresh %} server {{host}} {{host}}.node.nyc1.consul:8000 {% endfor %} # server-template app-refresh 1 _app-refresh._tcp.service.nyc1.consul:8000 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none backend app_push balance roundrobin option httpchk GET /_haproxychk default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hpush %} server {{host}} {{host}}.node.nyc1.consul:8000 {% endfor %} # server-template app-push 1 _app-push._tcp.service.nyc1.consul:8000 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none backend node_images option httpchk HEAD /sc,seLJDaKBog3LLEMDe8cjBefMhnVSibO4RA5boZhWcVZ0=/https://samuelclay.com/static/images/2019%20-%20Cuba.jpg http-check expect rstatus 200|301 default-server check inter 10000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hnode_images %} server {{host}} {{host}}.node.nyc1.consul:8088 {% endfor %} backend node_socket balance roundrobin default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hnode_socket %} server {{host}} {{host}}.node.nyc1.consul:8008 {% endfor %} backend node_favicons http-check expect rstatus 200|503 option httpchk GET /rss_feeds/icon/1 balance roundrobin default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hnode_favicons %} server {{host}} {{host}}.node.nyc1.consul:8008 {% endfor %} backend node_text http-check expect rstatus 200|503 option httpchk GET /rss_feeds/original_text_fetcher?test=1 balance roundrobin default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hnode_text %} server {{host}} {{host}}.node.nyc1.consul:8008 {% endfor %} backend node_page http-check expect rstatus 200|503 option httpchk GET /original_page/1?test=1 balance roundrobin default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.hnode_page %} server {{host}} {{host}}.node.nyc1.consul:8008 {% endfor %} backend staging balance roundrobin option httpchk GET /_haproxychk default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.staging %} server {{host}} {{host}}.node.nyc1.consul:8000 server {{host}} {{host}}.node.nyc1.consul:8001 backup {% endfor %} backend blog balance roundrobin option httpchk GET /_nginxchk default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.blogs %} server {{host}} {{host}}.node.nyc1.consul:80 {% endfor %} backend sentry balance roundrobin option httpchk GET /_health default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.sentry %} server {{host}} {{host}}.node.nyc1.consul:9000 {% endfor %} backend forum balance roundrobin default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.forum %} server {{host}} {{host}}.node.nyc1.consul:80 {% endfor %} backend db_metrics balance roundrobin # option httpchk GET /_haproxychk default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none server db-grafana grafana.service.nyc1.consul:3000 backend metrics option httpchk GET /_haproxychk http-check expect rstatus 200|301 server happ-web-01 happ-web-01.node.nyc1.consul:8000 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none backend postgres option httpchk GET /db_check/postgres default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.postgres %} server {{host}} {{host}}.node.nyc1.consul:5579 {% endfor %} server hdb-postgres-secondary2 hdb-redis-secondary.node.nyc1.consul:5579 backend mongo option httpchk GET /db_check/mongo default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.mongo %} server {{host}} {{host}}.node.nyc1.consul:5579 {% endfor %} backend mongo_analytics option httpchk GET /db_check/mongo_analytics default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.mongo_analytics %} server {{host}} {{host}}.node.nyc1.consul:5579 {% endfor %} backend db_redis_user option httpchk GET /db_check/redis_user default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.redis_user %} server {{host}} {{host}}.node.nyc1.consul:5579 {% endfor %} server hdb-redis-secondary hdb-redis-secondary.node.nyc1.consul:5579 backend db_redis_story option httpchk GET /db_check/redis_story default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.redis_story %} server {{host}} {{host}}.node.nyc1.consul:5579 {% endfor %} server db-redis-secondary hdb-redis-secondary.node.nyc1.consul:5579 backend db_redis_sessions option httpchk GET /db_check/redis_sessions default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.redis_session %} server {{host}} {{host}}.node.nyc1.consul:5579 {% endfor %} server db-redis-secondary hdb-redis-secondary.node.nyc1.consul:5579 backend db_redis_pubsub option httpchk GET /db_check/redis_pubsub default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none server hdb-redis-pubsub db-redis-pubsub.service.nyc1.consul:5579 backend db_elasticsearch option httpchk GET /db_check/elasticsearch default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none {% for host in groups.elasticsearch %} server {{host}} {{host}}.node.nyc1.consul:5579 {% endfor %} backend consul_manager balance roundrobin # option httpchk GET /_haproxychk default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none server db-consul-manager consul-manager.service.nyc1.consul:8500 backend maintenance option httpchk HEAD /maintenance http-check expect status 404 http-check send-state # server maintenance app-django1.node.nyc1.consul:80 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none server maintenance happ-web-01.node.nyc1.consul:80 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none listen stats bind :1936 ssl crt {{ ssl_certificate }} stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth gimmiestats:StatsGiver stats refresh 15s