Something like this works…
# HAProxy configuration
#------------------
# Global settings
#------------------
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
chroot /var/lib/haproxy
daemon
stats socket /var/lib/haproxy/stats mode 660 level admin
maxconn 65536
spread-checks 4
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
#------------------
# common defaults that all the 'listen' and 'backend' sections will
# use- if not designated in their block
#------------------
defaults
log global
mode http
retries 3
balance roundrobin
option abortonclose
option redispatch
option dontlognull
option log-health-checks
maxconn 20480
timeout connect 5s
timeout client 50s
timeout server 50s
timeout http-request 20s
timeout http-keep-alive 30s
timeout check 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#------------------
# frontend instances
#------------------
frontend ext-http-in
bind 10.1.2.10:80 name s3
bind 10.1.2.10:443 ssl crt certificate.pem name secure-s3
maxconn 25000
option forwardfor if-none
option http-server-close
option httplog
default_backend be_rgw-zone1
use_backend be_rgw-zone1 if host_s3
#------------------
# backend instances
#------------------
backend be_rgw-zone1
mode http
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server radosgw-vip1 10.1.2.1:80 check
server radosgw-vip2 10.1.2.2:80 check
server radosgw-vip3 10.1.2.3:80 check
From: Szabo, Istvan (Agoda) <istvan.sz...@agoda.com>
Date: Sunday, February 7, 2021 at 8:25 PM
To: Marc <m...@f1-outsourcing.eu>, ceph-users@ceph.io <ceph-users@ceph.io>
Subject: [ceph-users] Re: share haproxy config for radosgw
Let me join to this thread, I'd be interested also with HTTPS and beast
configuration on HA+Proxy level. Haven't managed to make it ever work.
-----Original Message-----
From: Marc <m...@f1-outsourcing.eu>
Sent: Monday, February 8, 2021 5:19 AM
To: ceph-users@ceph.io
Subject: [ceph-users] share haproxy config for radosgw
Email received from outside the company. If in doubt don't click links nor open
attachments!
________________________________
I was wondering if someone could post a config for haproxy. Is there something
specific to configure? Like binding clients to a specific backend server,
client timeouts, security specific to rgw etc.
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to
ceph-users-le...@ceph.io
________________________________
This message is confidential and is for the sole use of the intended
recipient(s). It may also be privileged or otherwise protected by copyright or
other legal rules. If you have received it by mistake please let us know by
reply email and delete it from your system. It is prohibited to copy this
message or disclose its content to anyone. Any confidentiality or privilege is
not waived or lost by any mistaken delivery or unauthorized disclosure of the
message. All messages sent to and from Agoda may be monitored to ensure
compliance with company policies, to protect the company's interests and to
remove potential malware. Electronic messages may be intercepted, amended, lost
or deleted, or contain viruses.
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
