openwrt/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2026-04-15 19:02:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4fa6e1225f9920286c761fbb3c570bb40d5cc46c
packages/net/haproxy/files/haproxy.cfg
Andrey Zotikov 4fa6e1225f haproxy: update config (maxconn, nbthread, ssl) 
Configuration changes:

- max connections adjusted
- ulimit-n disabled
- nbprocs removed
- nbthread added
- ssl params added

Signed-off-by: Andrey Zotikov <andrey.zotikov@gmail.com>
2026-02-15 11:56:46 +02:00

143 lines
4.5 KiB
INI
Raw Blame History

# Example configuration file for HAProxy, refer to the url below for
# a full documentation and examples for configuration:
# https://docs.haproxy.org/3.2/configuration.html
# Global parameters
global
# Log events to a remote syslog server at given address using the
# specified facility and verbosity level. Multiple log options
# are allowed.
#log 10.0.0.1 daemon info
# Logging events to the local syslog server is possible too.
#log /dev/log local0 info
# Specifiy the maximum number of allowed connections.
maxconn 10000
# Raise the ulimit for the maximum allowed number of open socket
# descriptors per process. This is usually at least twice the
# number of allowed connections (maxconn * 2 + nb_servers + 1) .
# By default, it is automatically computed, so it is recommended
# not to use this option.
#ulimit-n 65535
# Drop privileges (setuid, setgid), default is "root" on OpenWrt.
uid 0
gid 0
# Perform chroot into the specified directory.
#chroot /var/run/haproxy/
# Daemonize on startup
daemon
# Enable debugging
#debug
# Spawn given number of threads and distribute load among them,
# used for multi-core environments.
# On some platforms supporting CPU affinity, the default
# "nbthread" value is automatically set to the number of CPUs
# the process is bound to upon startup. The default value is
# reported in the output of "haproxy -vv".
#nbthread 2
# Default SSL material locations
ca-base /etc/ssl/certs
# SSL/TLS configuration. You can use the Mozilla SSL Config
# Generator. See: https://ssl-config.mozilla.org/#server=haproxy
# intermediate configuration
ssl-default-bind-curves X25519:prime256v1:secp384r1
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-server-curves X25519:prime256v1:secp384r1
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
crt-store acme-certs
crt-base /etc/ssl/acme
key-base /etc/ssl/acme
# load crt "domain1.fullchain.crt" key "domain1.key" alias "domain1"
# load crt "domain2.fullchain.crt" key "domain2.key" alias "domain2"
# Default parameters
defaults
# Default timeouts
timeout connect 5s
timeout client 50s
timeout server 50s
timeout check 5s
# Example HTTP proxy listener
listen my_http_proxy
# Disable this instance without commenting out the section.
disabled
# Bind to port 8080 on all interfaces (0.0.0.0)
bind :8080
# bind :8443 ssl alpn h2,http/1.1 default-crt @acme-certs/domain1
# We're proxying HTTP here...
mode http
# Simple HTTP round robin over two servers using the specified
# source ip 192.168.1.1 .
balance roundrobin
server server01 192.168.1.10:80 source 192.168.1.1
server server02 192.168.1.20:80 source 192.168.1.1
# Serve an internal statistics page on /stats:
stats enable
stats uri /stats
# Enable HTTP basic auth for the statistics:
stats realm HA_Stats
stats auth username:password
# Example SMTP proxy listener
listen my_smtp_proxy
# Disable this instance without commenting out the section.
disabled
# Bind to port 26 and 588 on localhost
bind 127.0.0.1:26,127.0.0.1:588
# This is a TCP proxy
mode tcp
# Round robin load balancing over two servers on port 123 forcing
# the address 192.168.1.1 and port 25 as source.
balance roundrobin
#use next line for transparent proxy, so the servers can see the
#original ip-address and remove source keyword in server definition
#source 0.0.0.0 usesrc clientip
server server01 192.168.1.10:123 source 192.168.1.1:25
server server02 192.168.1.20:123 source 192.168.1.1:25
# Special health check listener for integration with external load
# balancers.
listen local_health_check
# Listen on port 60000
bind :60000
# This health check requires http-mode
mode http
# This is a health check
http-request return status 200
Reference in New Issue View Git Blame Copy Permalink