From 4fa6e1225f9920286c761fbb3c570bb40d5cc46c Mon Sep 17 00:00:00 2001 From: Andrey Zotikov Date: Fri, 6 Feb 2026 09:18:55 +0300 Subject: [PATCH] haproxy: update config (maxconn, nbthread, ssl) Configuration changes: - max connections adjusted - ulimit-n disabled - nbprocs removed - nbthread added - ssl params added Signed-off-by: Andrey Zotikov --- net/haproxy/files/haproxy.cfg | 56 +++++++++++++++++++++++++++-------- 1 file changed, 43 insertions(+), 13 deletions(-) diff --git a/net/haproxy/files/haproxy.cfg b/net/haproxy/files/haproxy.cfg index 1914695b3f..cdbf247ccc 100644 --- a/net/haproxy/files/haproxy.cfg +++ b/net/haproxy/files/haproxy.cfg @@ -1,6 +1,6 @@ -# Example configuration file for HAProxy 2.0, refer to the url below for +# Example configuration file for HAProxy, refer to the url below for # a full documentation and examples for configuration: -# https://cbonte.github.io/haproxy-dconv/2.0/configuration.html +# https://docs.haproxy.org/3.2/configuration.html # Global parameters @@ -15,12 +15,14 @@ global #log /dev/log local0 info # Specifiy the maximum number of allowed connections. - maxconn 32000 + maxconn 10000 # Raise the ulimit for the maximum allowed number of open socket # descriptors per process. This is usually at least twice the # number of allowed connections (maxconn * 2 + nb_servers + 1) . - ulimit-n 65535 + # By default, it is automatically computed, so it is recommended + # not to use this option. + #ulimit-n 65535 # Drop privileges (setuid, setgid), default is "root" on OpenWrt. uid 0 @@ -35,27 +37,55 @@ global # Enable debugging #debug - # Spawn given number of processes and distribute load among them, - # used for multi-core environments or to circumvent per-process - # limits like number of open file descriptors. Default is 1. - #nbproc 2 + # Spawn given number of threads and distribute load among them, + # used for multi-core environments. + # On some platforms supporting CPU affinity, the default + # "nbthread" value is automatically set to the number of CPUs + # the process is bound to upon startup. The default value is + # reported in the output of "haproxy -vv". + #nbthread 2 + + # Default SSL material locations + ca-base /etc/ssl/certs # SSL/TLS configuration. You can use the Mozilla SSL Config # Generator. See: https://ssl-config.mozilla.org/#server=haproxy + # intermediate configuration + ssl-default-bind-curves X25519:prime256v1:secp384r1 + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + + ssl-default-server-curves X25519:prime256v1:secp384r1 + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets + +crt-store acme-certs + crt-base /etc/ssl/acme + key-base /etc/ssl/acme + # load crt "domain1.fullchain.crt" key "domain1.key" alias "domain1" + # load crt "domain2.fullchain.crt" key "domain2.key" alias "domain2" + # Default parameters defaults # Default timeouts - timeout connect 5000ms - timeout client 50000ms - timeout server 50000ms + timeout connect 5s + timeout client 50s + timeout server 50s + timeout check 5s # Example HTTP proxy listener listen my_http_proxy - # Bind to port 81 and 444 on all interfaces (0.0.0.0) - bind :81,:444 + # Disable this instance without commenting out the section. + disabled + + # Bind to port 8080 on all interfaces (0.0.0.0) + bind :8080 + # bind :8443 ssl alpn h2,http/1.1 default-crt @acme-certs/domain1 # We're proxying HTTP here... mode http