-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy.cfg
181 lines (153 loc) · 14 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
global
log stdout format raw daemon "${LOG_LEVEL}"
user root
group root
pidfile /run/haproxy.pid
maxconn 4000
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 10m
timeout server 10m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
# Use provided example error pages
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
frontend docker_frontend
bind :2375
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET { env(PING_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_HEAD { env(PING_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_POST { env(PING_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_PUT { env(PING_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_DELETE { env(PING_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } METH_GET { env(VERSION_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } METH_HEAD { env(VERSION_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } METH_POST { env(VERSION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } METH_PUT { env(VERSION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } METH_DELETE { env(VERSION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } METH_GET { env(INFO_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } METH_HEAD { env(INFO_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } METH_POST { env(INFO_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } METH_PUT { env(INFO_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } METH_DELETE { env(INFO_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } METH_GET { env(EVENTS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } METH_HEAD { env(EVENTS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } METH_POST { env(EVENTS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } METH_PUT { env(EVENTS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } METH_DELETE { env(EVENTS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } METH_GET { env(AUTH_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } METH_HEAD { env(AUTH_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } METH_POST { env(AUTH_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } METH_PUT { env(AUTH_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } METH_DELETE { env(AUTH_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } METH_GET { env(SECRETS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } METH_HEAD { env(SECRETS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } METH_POST { env(SECRETS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } METH_PUT { env(SECRETS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } METH_DELETE { env(SECRETS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } METH_GET { env(BUILD_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } METH_HEAD { env(BUILD_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } METH_POST { env(BUILD_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } METH_PUT { env(BUILD_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } METH_DELETE { env(BUILD_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } METH_GET { env(COMMIT_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } METH_HEAD { env(COMMIT_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } METH_POST { env(COMMIT_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } METH_PUT { env(COMMIT_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } METH_DELETE { env(COMMIT_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } METH_GET { env(CONFIGS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } METH_HEAD { env(CONFIGS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } METH_POST { env(CONFIGS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } METH_PUT { env(CONFIGS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } METH_DELETE { env(CONFIGS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } METH_GET { env(CONTAINERS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } METH_HEAD { env(CONTAINERS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } METH_POST { env(CONTAINERS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } METH_PUT { env(CONTAINERS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } METH_DELETE { env(CONTAINERS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } METH_GET { env(DISTRIBUTION_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } METH_HEAD { env(DISTRIBUTION_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } METH_POST { env(DISTRIBUTION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } METH_PUT { env(DISTRIBUTION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } METH_DELETE { env(DISTRIBUTION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } METH_GET { env(EXEC_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } METH_HEAD { env(EXEC_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } METH_POST { env(EXEC_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } METH_PUT { env(EXEC_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } METH_DELETE { env(EXEC_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/grpc } METH_GET { env(GRPC_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/grpc } METH_HEAD { env(GRPC_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/grpc } METH_POST { env(GRPC_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/grpc } METH_PUT { env(GRPC_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/grpc } METH_DELETE { env(GRPC_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } METH_GET { env(IMAGES_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } METH_HEAD { env(IMAGES_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } METH_POST { env(IMAGES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } METH_PUT { env(IMAGES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } METH_DELETE { env(IMAGES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } METH_GET { env(NETWORKS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } METH_HEAD { env(NETWORKS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } METH_POST { env(NETWORKS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } METH_PUT { env(NETWORKS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } METH_DELETE { env(NETWORKS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } METH_GET { env(NODES_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } METH_HEAD { env(NODES_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } METH_POST { env(NODES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } METH_PUT { env(NODES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } METH_DELETE { env(NODES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } METH_GET { env(PLUGINS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } METH_HEAD { env(PLUGINS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } METH_POST { env(PLUGINS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } METH_PUT { env(PLUGINS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } METH_DELETE { env(PLUGINS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } METH_GET { env(SERVICES_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } METH_HEAD { env(SERVICES_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } METH_POST { env(SERVICES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } METH_PUT { env(SERVICES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } METH_DELETE { env(SERVICES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } METH_GET { env(SESSION_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } METH_HEAD { env(SESSION_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } METH_POST { env(SESSION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } METH_PUT { env(SESSION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } METH_DELETE { env(SESSION_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } METH_GET { env(SWARM_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } METH_HEAD { env(SWARM_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } METH_POST { env(SWARM_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } METH_PUT { env(SWARM_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } METH_DELETE { env(SWARM_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } METH_GET { env(SYSTEM_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } METH_HEAD { env(SYSTEM_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } METH_POST { env(SYSTEM_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } METH_PUT { env(SYSTEM_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } METH_DELETE { env(SYSTEM_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } METH_GET { env(TASKS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } METH_HEAD { env(TASKS_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } METH_POST { env(TASKS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } METH_PUT { env(TASKS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } METH_DELETE { env(TASKS_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } METH_GET { env(VOLUMES_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } METH_HEAD { env(VOLUMES_READ) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } METH_POST { env(VOLUMES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } METH_PUT { env(VOLUMES_WRITE) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } METH_DELETE { env(VOLUMES_WRITE) -m bool }
# Deny all other requests
http-request deny
# move request to backend
default_backend docker_backend
backend docker_backend
server dockersocket $DOCKER_SOCKET_PATH