HAProxy config

Dave Jensen

This is the HAProxy config I use for https://www.axisandallies.org whic is both wordpress and NodeBB.
Traffic to https://www.axisandallies.org/forums and https://www.axisandallies.org/uploads goes to NodeBB and the rest goes to Wordpress. I've changed a few things IPs, dirs, etc so this is not exactly like production but it gives you an idea.
I use HaProxy for other sites as well, which is why I check the hostname to use the backend.

global
    log /etc/haproxy/log    local0
    log /etc/haproxy/log    local1 notice
    chroot /var/lib/haproxy
    daemon

    # maxconn 2048

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL).
    ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    option  forwardfor
    option  http-server-close
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
    bind *:80
    reqadd X-Forwarded-Proto:\ http

    # Redirect all http traffic
    redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    bind *:443 ssl crt /etc/ssl/private/site.pem crt
    #reqadd X-Forwarded-Proto:\ https
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-For %[src]
    http-request set-header X-Client-IP %[src]
    http-request set-header X-Real-IP %[src]

    # acl rules
    acl is-axisandallies-org hdr_end(host) -i axisandallies.org
    acl is-forums path_beg /forums
    acl is-www hdr_beg(host) -i www
    acl is-wrong-upload path_beg /uploads

    # redirect non www to www for axis and allies
    http-request redirect code 301 location https://www.%[hdr(host)]%[url] if is-axisandallies-org !is-www

    # redirect the uploads urls
    http-request redirect code 301 location https://%[hdr(host)]%[url,regsub(^/uploads,/forums/assets/uploads,)] if is-wrong-upload is-axisandallies-org

    # rewrite the uploads urls for axisandallies.org
    # http-request set-path %[path,regsub(^/uploads,/forums/assets/uploads,)] if is-wrong-upload is-axisandallies-org

    # axisandallies.org/forums
    use_backend nodebb if is-axisandallies-org is-forums

    # axisandallies.org
    use_backend axisandallies-org if is-axisandallies-org
    # use_backend maintenance if is-axisandallies-org

backend axisandallies-org
    redirect scheme https if !{ ssl_fc }
    server axisandalliesorg1 10.20.30.41:80 check

backend nodebb
    balance source
    hash-type consistent
    redirect scheme https if !{ ssl_fc }
    server nodebb1 10.20.30.40:4567 check
    server nodebb2 10.20.30.40:4568 check

backend maintenance
    errorfile 503 /opt/haproxy/errors/maintenance.html

Dave Jensen

I'm posting this as a new topic to share with other who might try HAProxy in the manner that I have tried it and because I have or solved a number issues that may or may not be related to this config.