-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy.cfg
102 lines (86 loc) · 5.49 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# TODO: move this entire config to the k8s deployment a la nginx?
#
global
log stdout format raw local0 info
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout tunnel 3600s # for ws connections
log-format '{"time":"%Tl","remote_addr":"%ci","src":"%[src]","remote_user":"%[capture.req.hdr(7),json(utf8s)]","request":"%r","status":"%ST","log_type":"access","bytes_sent":"%B","request_time":"%Tr","referrer":"%[capture.req.hdr(2),json(utf8s)]","user_agent":"%[capture.req.hdr(3),json(utf8s)]","x_forwarded_for":"%[capture.req.hdr(1),json(utf8s)]","x_forwarded_proto":"%[capture.req.hdr(5),json(utf8s)]","x_ratelimit_remaining":"%[capture.res.hdr(0),json(utf8s)]","x_ratelimit_limit":"%[capture.res.hdr(1),json(utf8s)]","x_ratelimit_reset":"%[capture.res.hdr(2),json(utf8s)]","x_request_id":"%[capture.res.hdr(3),json(utf8s)]"}'
frontend router
bind :8080
log global
# Note order matters, we pull this based on index in the log format
capture request header Host len 200
capture request header X-Forwarded-For len 200
capture request header Referer len 200
capture request header User-Agent len 200
capture request header RemoteAddr len 200
capture request header X-Forwarded-Proto len 5
capture request header x-cloud-trace-context len 200
capture request header RemoteUser len 200
capture response header x-ratelimit-remaining len 20
capture response header x-ratelimit-limit len 20
capture response header x-ratelimit-reset len 200
capture response header x-request-id len 200
# "health" checks
http-request return status 200 content-type text/plain string ok if { path /__nginxheartbeat__ } || { path /__lbheartbeat__ }
# Make sure the streaming api is routed to mastodons streaming socket
use_backend streaming if { path_beg /api/v1/streaming }
# Report API (internal) - this entry _must_ go before the following one (Report API)
use_backend mastodon-report-api if { path_beg '/api/v1/reports-internal' }
# Report API
use_backend cmbridge if { path_beg '/api/v1/reports' }
# Cinder-Mastodon Bridge microservice
use_backend cmbridge-infringement-form if { path_beg /en-US/about/legal/report-infringement-form }
# Redirect Mastodon 2FA settings to Mozilla Accounts
use_backend fxa-redirs if { path /settings/otp_authentication }
# Fall back to mastodon
use_backend mastodon
backend mastodon-report-api
http-request redirect location "https://support.mozilla.org/kb/mozilla-social-faq"
http-request replace-path /api/v1/reports-internal /api/v1/reports
http-request set-header Host "${MASTODON_HOSTNAME-stage.moztodon.nonprod.webservices.mozgcp.net}"
http-request set-header X-Forwarded-Proto https if { ssl_fc } # For Proto
http-request add-header X-Real-Ip %[src] # Custom header with src IP
option forwardfor if-none # X-forwarded-for
#server mastodon "${MASTODON_SERVICE_AND_PORT-web.moztodon-stage.svc.cluster.local:8080}" maxconn "${MAXCONN_MASTODON-50}"
server mastodon "www.mozilla.org"
http-response set-header X-Server mastodon
backend fxa-redirs
http-request replace-path /settings/otp_authentication "/settings#two-step-authentication"
http-request redirect prefix "https://${FXA_HOSTNAME-accounts.stage.mozaws.net}"
backend cmbridge
http-request set-header Host "${CMBRIDGE_HOSTNAME-stage.cm-bridge.nonprod.webservices.mozgcp.net}"
http-request set-header X-Forwarded-Proto https if { ssl_fc } # For Proto
http-request add-header X-Real-Ip %[src] # Custom header with src IP
option forwardfor if-none # X-forwarded-for
server cmbridge "${CMBRIDGE_SERVICE_AND_PORT-stage.cm-bridge-stage.svc.cluster.local:8080}" maxconn "${MAXCONN_CMBRIDGE-50}"
http-response set-header X-Server cmbridge
backend cmbridge-infringement-form
http-request redirect location "https://${CMBRIDGE_HOSTNAME-stage.cm-bridge.nonprod.webservices.mozgcp.net}/infringement-form"
backend mastodon
http-request redirect location "https://support.mozilla.org/kb/mozilla-social-faq"
# if the request is the /auth/sign_in intersisteall, we remove the referer header because mastodon usually overrides
# the stored oidc redirect if it was navigated to from the same host domain and theres a referer header
# By deleting it here we avoid updating mastodon code and allow our client to run on the same domain as Mastodon
# https://github.com/MozillaSocial/mastodon/blob/main/app/controllers/application_controller.rb#L67
http-request del-header referer if { path '/auth/sign_in' }
http-request set-header Host "${MASTODON_HOSTNAME-stage.moztodon.nonprod.webservices.mozgcp.net}"
http-request set-header X-Forwarded-Proto https if { ssl_fc } # For Proto
http-request add-header X-Real-Ip %[src] # Custom header with src IP
option forwardfor if-none # X-forwarded-for
#server mastodon "${MASTODON_SERVICE_AND_PORT-web.moztodon-stage.svc.cluster.local:8080}" maxconn "${MAXCONN_MASTODON-50}"
server mastodon "www.mozilla.org"
http-response set-header X-Server mastodon
backend streaming
http-request deny deny_status 404
http-request set-header Host "${MASTODON_HOSTNAME-stage.moztodon.nonprod.webservices.mozgcp.net}"
http-request set-header X-Forwarded-Proto https if { ssl_fc } # For Proto
http-request add-header X-Real-Ip %[src] # Custom header with src IP
option forwardfor if-none # X-forwarded-for
#server mastodon "${MASTODON_STREAMING_SERVICE_AND_PORT-streaming.moztodon-stage.svc.cluster.local:4000}" maxconn "${MAXCONN_MASTODON_STREAMING-50}"
server mastodon "www.mozilla.org"
http-response set-header X-Server mastodon-streaming