Merge ~hloeung/content-cache-charm:cleanup into content-cache-charm:master
- Git
- lp:~hloeung/content-cache-charm
- cleanup
- Merge into master
Proposed by
Haw Loeung
Status: | Merged |
---|---|
Approved by: | Haw Loeung |
Approved revision: | 51c5baff7265d57177de0966bfa8d0c9f89e0e11 |
Merged at revision: | 3774c254f111422a5f61c2b592af906be9da33dc |
Proposed branch: | ~hloeung/content-cache-charm:cleanup |
Merge into: | content-cache-charm:master |
Prerequisite: | ~hloeung/content-cache-charm:request-unique-id |
Diff against target: |
1889 lines (+832/-832) 13 files modified
lib/haproxy.py (+1/-1) templates/haproxy_cfg.tmpl (+67/-67) tests/unit/files/content_cache_rendered_haproxy_test_output.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output2.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output3.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt (+66/-66) tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt (+72/-72) tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt (+71/-71) tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt (+66/-66) tests/unit/files/haproxy_config_rendered_test_output.txt (+72/-72) tests/unit/files/haproxy_config_rendered_test_output2.txt (+72/-72) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Barry Price | Approve | ||
Canonical IS Reviewers | Pending | ||
Review via email: mp+396636@code.launchpad.net |
Commit message
Fix indentation so it's consistent
Description of the change
To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : | # |
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote : | # |
Change successfully merged at revision 3774c254f111422
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/lib/haproxy.py b/lib/haproxy.py |
2 | index 7c0eabf..f76e083 100644 |
3 | --- a/lib/haproxy.py |
4 | +++ b/lib/haproxy.py |
5 | @@ -116,7 +116,7 @@ class HAProxyConf: |
6 | listen_stanza = """ |
7 | listen {name} |
8 | {bind_config} |
9 | - capture request header X-Cache-Request-ID len 60 |
10 | +{indent}capture request header X-Cache-Request-ID len 60 |
11 | {redirect_config}{backend_config}{default_backend}""" |
12 | backend_conf = '{indent}use_backend backend-{backend} if {{ hdr(Host) -i {site_name} }}\n' |
13 | redirect_conf = '{indent}redirect scheme https code 301 if {{ hdr(Host) -i {site_name} }} !{{ ssl_fc }}\n' |
14 | diff --git a/templates/haproxy_cfg.tmpl b/templates/haproxy_cfg.tmpl |
15 | index c59938c..4b8bdcd 100644 |
16 | --- a/templates/haproxy_cfg.tmpl |
17 | +++ b/templates/haproxy_cfg.tmpl |
18 | @@ -1,91 +1,91 @@ |
19 | global |
20 | {%- if num_procs %} |
21 | - nbproc {{num_procs}} |
22 | + nbproc {{num_procs}} |
23 | {%- endif %} |
24 | {%- if num_threads %} |
25 | - nbthread {{num_threads}} |
26 | + nbthread {{num_threads}} |
27 | {%- endif %} |
28 | - maxconn {{global_max_connections}} |
29 | - log /dev/log local0 |
30 | - log /dev/log local1 notice |
31 | - chroot /var/lib/haproxy |
32 | - stats socket {{socket_path}} mode 660 level admin expose-fd listeners |
33 | - stats timeout 30s |
34 | - server-state-file {{saved_server_state_path}} |
35 | - user haproxy |
36 | - group haproxy |
37 | - daemon |
38 | + maxconn {{global_max_connections}} |
39 | + log /dev/log local0 |
40 | + log /dev/log local1 notice |
41 | + chroot /var/lib/haproxy |
42 | + stats socket {{socket_path}} mode 660 level admin expose-fd listeners |
43 | + stats timeout 30s |
44 | + server-state-file {{saved_server_state_path}} |
45 | + user haproxy |
46 | + group haproxy |
47 | + daemon |
48 | |
49 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
50 | - # and kill them off. |
51 | - hard-stop-after {{hard_stop_after}} |
52 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
53 | + # and kill them off. |
54 | + hard-stop-after {{hard_stop_after}} |
55 | |
56 | - # Default SSL material locations |
57 | - ca-base /etc/ssl/certs |
58 | - crt-base /etc/ssl/private |
59 | + # Default SSL material locations |
60 | + ca-base /etc/ssl/certs |
61 | + crt-base /etc/ssl/private |
62 | |
63 | - # Default ciphers to use on SSL-enabled listening sockets. |
64 | - # For more information, see ciphers(1SSL). This list is from: |
65 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
66 | - # An alternative list with additional directives can be obtained from |
67 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
68 | - ssl-default-bind-ciphers {{tls_cipher_suites}} |
69 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
70 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
71 | - tune.ssl.default-dh-param 2048 |
72 | + # Default ciphers to use on SSL-enabled listening sockets. |
73 | + # For more information, see ciphers(1SSL). This list is from: |
74 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
75 | + # An alternative list with additional directives can be obtained from |
76 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
77 | + ssl-default-bind-ciphers {{tls_cipher_suites}} |
78 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
79 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
80 | + tune.ssl.default-dh-param 2048 |
81 | |
82 | - # Increase the SSL/TLS session cache from the default 20k. But |
83 | - # rather than hardcode values, let's just set it to match |
84 | - # global_max_connections (which by default is calculated using |
85 | - # num. of CPU cores and num. of configured sites). Each entry |
86 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
87 | - # each with 2000 max conns will only consume around 122 Mbytes |
88 | - # (32 * 10 * 2000 * 200), which is not much. |
89 | - tune.ssl.cachesize {{global_max_connections}} |
90 | + # Increase the SSL/TLS session cache from the default 20k. But |
91 | + # rather than hardcode values, let's just set it to match |
92 | + # global_max_connections (which by default is calculated using |
93 | + # num. of CPU cores and num. of configured sites). Each entry |
94 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
95 | + # each with 2000 max conns will only consume around 122 Mbytes |
96 | + # (32 * 10 * 2000 * 200), which is not much. |
97 | + tune.ssl.cachesize {{global_max_connections}} |
98 | |
99 | defaults |
100 | - log global |
101 | - maxconn {{max_connections}} |
102 | - mode http |
103 | - option dontlognull |
104 | - timeout connect 5s |
105 | - timeout client 50s |
106 | - timeout server 50s |
107 | - errorfile 400 /etc/haproxy/errors/400.http |
108 | - errorfile 403 /etc/haproxy/errors/403.http |
109 | - errorfile 408 /etc/haproxy/errors/408.http |
110 | - errorfile 500 /etc/haproxy/errors/500.http |
111 | - errorfile 502 /etc/haproxy/errors/502.http |
112 | - errorfile 503 /etc/haproxy/errors/503.http |
113 | - errorfile 504 /etc/haproxy/errors/504.http |
114 | - load-server-state-from-file global |
115 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
116 | - unique-id-header X-Cache-Request-ID |
117 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
118 | + log global |
119 | + maxconn {{max_connections}} |
120 | + mode http |
121 | + option dontlognull |
122 | + timeout connect 5s |
123 | + timeout client 50s |
124 | + timeout server 50s |
125 | + errorfile 400 /etc/haproxy/errors/400.http |
126 | + errorfile 403 /etc/haproxy/errors/403.http |
127 | + errorfile 408 /etc/haproxy/errors/408.http |
128 | + errorfile 500 /etc/haproxy/errors/500.http |
129 | + errorfile 502 /etc/haproxy/errors/502.http |
130 | + errorfile 503 /etc/haproxy/errors/503.http |
131 | + errorfile 504 /etc/haproxy/errors/504.http |
132 | + load-server-state-from-file global |
133 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
134 | + unique-id-header X-Cache-Request-ID |
135 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
136 | |
137 | {%- if dns_servers %} |
138 | |
139 | resolvers dns |
140 | {%- for resolver in dns_servers %} |
141 | - nameserver dns{{loop.index}} {{resolver}}:53 |
142 | + nameserver dns{{loop.index}} {{resolver}}:53 |
143 | {%- endfor %} |
144 | - resolve_retries 3 |
145 | - timeout resolve 3s |
146 | - timeout retry 3s |
147 | - accepted_payload_size 8192 |
148 | + resolve_retries 3 |
149 | + timeout resolve 3s |
150 | + timeout retry 3s |
151 | + accepted_payload_size 8192 |
152 | {%- endif %} |
153 | |
154 | listen stats |
155 | - bind 127.0.0.1:10000 |
156 | - acl allowed_cidr src 127.0.0.0/8 |
157 | - http-request deny unless allowed_cidr |
158 | + bind 127.0.0.1:10000 |
159 | + acl allowed_cidr src 127.0.0.0/8 |
160 | + http-request deny unless allowed_cidr |
161 | |
162 | - mode http |
163 | - stats enable |
164 | - stats uri / |
165 | - stats realm Haproxy\ Statistics |
166 | - stats auth haproxy:{{monitoring_password}} |
167 | - stats refresh 3 |
168 | + mode http |
169 | + stats enable |
170 | + stats uri / |
171 | + stats realm Haproxy\ Statistics |
172 | + stats auth haproxy:{{monitoring_password}} |
173 | + stats refresh 3 |
174 | |
175 | {% for stanza in listen -%} |
176 | {{stanza}} |
177 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt |
178 | index d187ca5..72bc2d3 100644 |
179 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt |
180 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt |
181 | @@ -1,81 +1,81 @@ |
182 | global |
183 | - nbthread 4 |
184 | - maxconn 106496 |
185 | - log /dev/log local0 |
186 | - log /dev/log local1 notice |
187 | - chroot /var/lib/haproxy |
188 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
189 | - stats timeout 30s |
190 | - server-state-file /run/haproxy/saved-server-state |
191 | - user haproxy |
192 | - group haproxy |
193 | - daemon |
194 | - |
195 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
196 | - # and kill them off. |
197 | - hard-stop-after 15m |
198 | - |
199 | - # Default SSL material locations |
200 | - ca-base /etc/ssl/certs |
201 | - crt-base /etc/ssl/private |
202 | - |
203 | - # Default ciphers to use on SSL-enabled listening sockets. |
204 | - # For more information, see ciphers(1SSL). This list is from: |
205 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
206 | - # An alternative list with additional directives can be obtained from |
207 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
208 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
209 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
210 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
211 | - tune.ssl.default-dh-param 2048 |
212 | - |
213 | - # Increase the SSL/TLS session cache from the default 20k. But |
214 | - # rather than hardcode values, let's just set it to match |
215 | - # global_max_connections (which by default is calculated using |
216 | - # num. of CPU cores and num. of configured sites). Each entry |
217 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
218 | - # each with 2000 max conns will only consume around 122 Mbytes |
219 | - # (32 * 10 * 2000 * 200), which is not much. |
220 | - tune.ssl.cachesize 106496 |
221 | + nbthread 4 |
222 | + maxconn 106496 |
223 | + log /dev/log local0 |
224 | + log /dev/log local1 notice |
225 | + chroot /var/lib/haproxy |
226 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
227 | + stats timeout 30s |
228 | + server-state-file /run/haproxy/saved-server-state |
229 | + user haproxy |
230 | + group haproxy |
231 | + daemon |
232 | + |
233 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
234 | + # and kill them off. |
235 | + hard-stop-after 15m |
236 | + |
237 | + # Default SSL material locations |
238 | + ca-base /etc/ssl/certs |
239 | + crt-base /etc/ssl/private |
240 | + |
241 | + # Default ciphers to use on SSL-enabled listening sockets. |
242 | + # For more information, see ciphers(1SSL). This list is from: |
243 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
244 | + # An alternative list with additional directives can be obtained from |
245 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
246 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
247 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
248 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
249 | + tune.ssl.default-dh-param 2048 |
250 | + |
251 | + # Increase the SSL/TLS session cache from the default 20k. But |
252 | + # rather than hardcode values, let's just set it to match |
253 | + # global_max_connections (which by default is calculated using |
254 | + # num. of CPU cores and num. of configured sites). Each entry |
255 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
256 | + # each with 2000 max conns will only consume around 122 Mbytes |
257 | + # (32 * 10 * 2000 * 200), which is not much. |
258 | + tune.ssl.cachesize 106496 |
259 | |
260 | defaults |
261 | - log global |
262 | - maxconn 8192 |
263 | - mode http |
264 | - option dontlognull |
265 | - timeout connect 5s |
266 | - timeout client 50s |
267 | - timeout server 50s |
268 | - errorfile 400 /etc/haproxy/errors/400.http |
269 | - errorfile 403 /etc/haproxy/errors/403.http |
270 | - errorfile 408 /etc/haproxy/errors/408.http |
271 | - errorfile 500 /etc/haproxy/errors/500.http |
272 | - errorfile 502 /etc/haproxy/errors/502.http |
273 | - errorfile 503 /etc/haproxy/errors/503.http |
274 | - errorfile 504 /etc/haproxy/errors/504.http |
275 | - load-server-state-from-file global |
276 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
277 | - unique-id-header X-Cache-Request-ID |
278 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
279 | + log global |
280 | + maxconn 8192 |
281 | + mode http |
282 | + option dontlognull |
283 | + timeout connect 5s |
284 | + timeout client 50s |
285 | + timeout server 50s |
286 | + errorfile 400 /etc/haproxy/errors/400.http |
287 | + errorfile 403 /etc/haproxy/errors/403.http |
288 | + errorfile 408 /etc/haproxy/errors/408.http |
289 | + errorfile 500 /etc/haproxy/errors/500.http |
290 | + errorfile 502 /etc/haproxy/errors/502.http |
291 | + errorfile 503 /etc/haproxy/errors/503.http |
292 | + errorfile 504 /etc/haproxy/errors/504.http |
293 | + load-server-state-from-file global |
294 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
295 | + unique-id-header X-Cache-Request-ID |
296 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
297 | |
298 | resolvers dns |
299 | - nameserver dns1 127.0.0.53:53 |
300 | - resolve_retries 3 |
301 | - timeout resolve 3s |
302 | - timeout retry 3s |
303 | - accepted_payload_size 8192 |
304 | + nameserver dns1 127.0.0.53:53 |
305 | + resolve_retries 3 |
306 | + timeout resolve 3s |
307 | + timeout retry 3s |
308 | + accepted_payload_size 8192 |
309 | |
310 | listen stats |
311 | - bind 127.0.0.1:10000 |
312 | - acl allowed_cidr src 127.0.0.0/8 |
313 | - http-request deny unless allowed_cidr |
314 | - |
315 | - mode http |
316 | - stats enable |
317 | - stats uri / |
318 | - stats realm Haproxy\ Statistics |
319 | - stats auth haproxy:biometricsarenotsecret |
320 | - stats refresh 3 |
321 | + bind 127.0.0.1:10000 |
322 | + acl allowed_cidr src 127.0.0.0/8 |
323 | + http-request deny unless allowed_cidr |
324 | + |
325 | + mode http |
326 | + stats enable |
327 | + stats uri / |
328 | + stats realm Haproxy\ Statistics |
329 | + stats auth haproxy:biometricsarenotsecret |
330 | + stats refresh 3 |
331 | |
332 | |
333 | listen combined-80 |
334 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt |
335 | index 15403b6..a618ceb 100644 |
336 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt |
337 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt |
338 | @@ -1,81 +1,81 @@ |
339 | global |
340 | - nbthread 4 |
341 | - maxconn 16384 |
342 | - log /dev/log local0 |
343 | - log /dev/log local1 notice |
344 | - chroot /var/lib/haproxy |
345 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
346 | - stats timeout 30s |
347 | - server-state-file /run/haproxy/saved-server-state |
348 | - user haproxy |
349 | - group haproxy |
350 | - daemon |
351 | + nbthread 4 |
352 | + maxconn 16384 |
353 | + log /dev/log local0 |
354 | + log /dev/log local1 notice |
355 | + chroot /var/lib/haproxy |
356 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
357 | + stats timeout 30s |
358 | + server-state-file /run/haproxy/saved-server-state |
359 | + user haproxy |
360 | + group haproxy |
361 | + daemon |
362 | |
363 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
364 | - # and kill them off. |
365 | - hard-stop-after 15m |
366 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
367 | + # and kill them off. |
368 | + hard-stop-after 15m |
369 | |
370 | - # Default SSL material locations |
371 | - ca-base /etc/ssl/certs |
372 | - crt-base /etc/ssl/private |
373 | + # Default SSL material locations |
374 | + ca-base /etc/ssl/certs |
375 | + crt-base /etc/ssl/private |
376 | |
377 | - # Default ciphers to use on SSL-enabled listening sockets. |
378 | - # For more information, see ciphers(1SSL). This list is from: |
379 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
380 | - # An alternative list with additional directives can be obtained from |
381 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
382 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
383 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
384 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
385 | - tune.ssl.default-dh-param 2048 |
386 | + # Default ciphers to use on SSL-enabled listening sockets. |
387 | + # For more information, see ciphers(1SSL). This list is from: |
388 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
389 | + # An alternative list with additional directives can be obtained from |
390 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
391 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
392 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
393 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
394 | + tune.ssl.default-dh-param 2048 |
395 | |
396 | - # Increase the SSL/TLS session cache from the default 20k. But |
397 | - # rather than hardcode values, let's just set it to match |
398 | - # global_max_connections (which by default is calculated using |
399 | - # num. of CPU cores and num. of configured sites). Each entry |
400 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
401 | - # each with 2000 max conns will only consume around 122 Mbytes |
402 | - # (32 * 10 * 2000 * 200), which is not much. |
403 | - tune.ssl.cachesize 16384 |
404 | + # Increase the SSL/TLS session cache from the default 20k. But |
405 | + # rather than hardcode values, let's just set it to match |
406 | + # global_max_connections (which by default is calculated using |
407 | + # num. of CPU cores and num. of configured sites). Each entry |
408 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
409 | + # each with 2000 max conns will only consume around 122 Mbytes |
410 | + # (32 * 10 * 2000 * 200), which is not much. |
411 | + tune.ssl.cachesize 16384 |
412 | |
413 | defaults |
414 | - log global |
415 | - maxconn 8192 |
416 | - mode http |
417 | - option dontlognull |
418 | - timeout connect 5s |
419 | - timeout client 50s |
420 | - timeout server 50s |
421 | - errorfile 400 /etc/haproxy/errors/400.http |
422 | - errorfile 403 /etc/haproxy/errors/403.http |
423 | - errorfile 408 /etc/haproxy/errors/408.http |
424 | - errorfile 500 /etc/haproxy/errors/500.http |
425 | - errorfile 502 /etc/haproxy/errors/502.http |
426 | - errorfile 503 /etc/haproxy/errors/503.http |
427 | - errorfile 504 /etc/haproxy/errors/504.http |
428 | - load-server-state-from-file global |
429 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
430 | - unique-id-header X-Cache-Request-ID |
431 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
432 | + log global |
433 | + maxconn 8192 |
434 | + mode http |
435 | + option dontlognull |
436 | + timeout connect 5s |
437 | + timeout client 50s |
438 | + timeout server 50s |
439 | + errorfile 400 /etc/haproxy/errors/400.http |
440 | + errorfile 403 /etc/haproxy/errors/403.http |
441 | + errorfile 408 /etc/haproxy/errors/408.http |
442 | + errorfile 500 /etc/haproxy/errors/500.http |
443 | + errorfile 502 /etc/haproxy/errors/502.http |
444 | + errorfile 503 /etc/haproxy/errors/503.http |
445 | + errorfile 504 /etc/haproxy/errors/504.http |
446 | + load-server-state-from-file global |
447 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
448 | + unique-id-header X-Cache-Request-ID |
449 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
450 | |
451 | resolvers dns |
452 | - nameserver dns1 127.0.0.53:53 |
453 | - resolve_retries 3 |
454 | - timeout resolve 3s |
455 | - timeout retry 3s |
456 | - accepted_payload_size 8192 |
457 | + nameserver dns1 127.0.0.53:53 |
458 | + resolve_retries 3 |
459 | + timeout resolve 3s |
460 | + timeout retry 3s |
461 | + accepted_payload_size 8192 |
462 | |
463 | listen stats |
464 | - bind 127.0.0.1:10000 |
465 | - acl allowed_cidr src 127.0.0.0/8 |
466 | - http-request deny unless allowed_cidr |
467 | + bind 127.0.0.1:10000 |
468 | + acl allowed_cidr src 127.0.0.0/8 |
469 | + http-request deny unless allowed_cidr |
470 | |
471 | - mode http |
472 | - stats enable |
473 | - stats uri / |
474 | - stats realm Haproxy\ Statistics |
475 | - stats auth haproxy:biometricsarenotsecret |
476 | - stats refresh 3 |
477 | + mode http |
478 | + stats enable |
479 | + stats uri / |
480 | + stats realm Haproxy\ Statistics |
481 | + stats auth haproxy:biometricsarenotsecret |
482 | + stats refresh 3 |
483 | |
484 | |
485 | listen cached-site1-local |
486 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt |
487 | index d87592f..af75f2c 100644 |
488 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt |
489 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt |
490 | @@ -1,81 +1,81 @@ |
491 | global |
492 | - nbthread 4 |
493 | - maxconn 24576 |
494 | - log /dev/log local0 |
495 | - log /dev/log local1 notice |
496 | - chroot /var/lib/haproxy |
497 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
498 | - stats timeout 30s |
499 | - server-state-file /run/haproxy/saved-server-state |
500 | - user haproxy |
501 | - group haproxy |
502 | - daemon |
503 | + nbthread 4 |
504 | + maxconn 24576 |
505 | + log /dev/log local0 |
506 | + log /dev/log local1 notice |
507 | + chroot /var/lib/haproxy |
508 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
509 | + stats timeout 30s |
510 | + server-state-file /run/haproxy/saved-server-state |
511 | + user haproxy |
512 | + group haproxy |
513 | + daemon |
514 | |
515 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
516 | - # and kill them off. |
517 | - hard-stop-after 15m |
518 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
519 | + # and kill them off. |
520 | + hard-stop-after 15m |
521 | |
522 | - # Default SSL material locations |
523 | - ca-base /etc/ssl/certs |
524 | - crt-base /etc/ssl/private |
525 | + # Default SSL material locations |
526 | + ca-base /etc/ssl/certs |
527 | + crt-base /etc/ssl/private |
528 | |
529 | - # Default ciphers to use on SSL-enabled listening sockets. |
530 | - # For more information, see ciphers(1SSL). This list is from: |
531 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
532 | - # An alternative list with additional directives can be obtained from |
533 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
534 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
535 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
536 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
537 | - tune.ssl.default-dh-param 2048 |
538 | + # Default ciphers to use on SSL-enabled listening sockets. |
539 | + # For more information, see ciphers(1SSL). This list is from: |
540 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
541 | + # An alternative list with additional directives can be obtained from |
542 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
543 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
544 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
545 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
546 | + tune.ssl.default-dh-param 2048 |
547 | |
548 | - # Increase the SSL/TLS session cache from the default 20k. But |
549 | - # rather than hardcode values, let's just set it to match |
550 | - # global_max_connections (which by default is calculated using |
551 | - # num. of CPU cores and num. of configured sites). Each entry |
552 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
553 | - # each with 2000 max conns will only consume around 122 Mbytes |
554 | - # (32 * 10 * 2000 * 200), which is not much. |
555 | - tune.ssl.cachesize 24576 |
556 | + # Increase the SSL/TLS session cache from the default 20k. But |
557 | + # rather than hardcode values, let's just set it to match |
558 | + # global_max_connections (which by default is calculated using |
559 | + # num. of CPU cores and num. of configured sites). Each entry |
560 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
561 | + # each with 2000 max conns will only consume around 122 Mbytes |
562 | + # (32 * 10 * 2000 * 200), which is not much. |
563 | + tune.ssl.cachesize 24576 |
564 | |
565 | defaults |
566 | - log global |
567 | - maxconn 8192 |
568 | - mode http |
569 | - option dontlognull |
570 | - timeout connect 5s |
571 | - timeout client 50s |
572 | - timeout server 50s |
573 | - errorfile 400 /etc/haproxy/errors/400.http |
574 | - errorfile 403 /etc/haproxy/errors/403.http |
575 | - errorfile 408 /etc/haproxy/errors/408.http |
576 | - errorfile 500 /etc/haproxy/errors/500.http |
577 | - errorfile 502 /etc/haproxy/errors/502.http |
578 | - errorfile 503 /etc/haproxy/errors/503.http |
579 | - errorfile 504 /etc/haproxy/errors/504.http |
580 | - load-server-state-from-file global |
581 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
582 | - unique-id-header X-Cache-Request-ID |
583 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
584 | + log global |
585 | + maxconn 8192 |
586 | + mode http |
587 | + option dontlognull |
588 | + timeout connect 5s |
589 | + timeout client 50s |
590 | + timeout server 50s |
591 | + errorfile 400 /etc/haproxy/errors/400.http |
592 | + errorfile 403 /etc/haproxy/errors/403.http |
593 | + errorfile 408 /etc/haproxy/errors/408.http |
594 | + errorfile 500 /etc/haproxy/errors/500.http |
595 | + errorfile 502 /etc/haproxy/errors/502.http |
596 | + errorfile 503 /etc/haproxy/errors/503.http |
597 | + errorfile 504 /etc/haproxy/errors/504.http |
598 | + load-server-state-from-file global |
599 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
600 | + unique-id-header X-Cache-Request-ID |
601 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
602 | |
603 | resolvers dns |
604 | - nameserver dns1 127.0.0.53:53 |
605 | - resolve_retries 3 |
606 | - timeout resolve 3s |
607 | - timeout retry 3s |
608 | - accepted_payload_size 8192 |
609 | + nameserver dns1 127.0.0.53:53 |
610 | + resolve_retries 3 |
611 | + timeout resolve 3s |
612 | + timeout retry 3s |
613 | + accepted_payload_size 8192 |
614 | |
615 | listen stats |
616 | - bind 127.0.0.1:10000 |
617 | - acl allowed_cidr src 127.0.0.0/8 |
618 | - http-request deny unless allowed_cidr |
619 | + bind 127.0.0.1:10000 |
620 | + acl allowed_cidr src 127.0.0.0/8 |
621 | + http-request deny unless allowed_cidr |
622 | |
623 | - mode http |
624 | - stats enable |
625 | - stats uri / |
626 | - stats realm Haproxy\ Statistics |
627 | - stats auth haproxy:biometricsarenotsecret |
628 | - stats refresh 3 |
629 | + mode http |
630 | + stats enable |
631 | + stats uri / |
632 | + stats realm Haproxy\ Statistics |
633 | + stats auth haproxy:biometricsarenotsecret |
634 | + stats refresh 3 |
635 | |
636 | |
637 | listen redirect-site1-local |
638 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt |
639 | index 070f1b7..25b27e5 100644 |
640 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt |
641 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt |
642 | @@ -1,81 +1,81 @@ |
643 | global |
644 | - nbthread 4 |
645 | - maxconn 104000 |
646 | - log /dev/log local0 |
647 | - log /dev/log local1 notice |
648 | - chroot /var/lib/haproxy |
649 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
650 | - stats timeout 30s |
651 | - server-state-file /run/haproxy/saved-server-state |
652 | - user haproxy |
653 | - group haproxy |
654 | - daemon |
655 | - |
656 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
657 | - # and kill them off. |
658 | - hard-stop-after 15m |
659 | - |
660 | - # Default SSL material locations |
661 | - ca-base /etc/ssl/certs |
662 | - crt-base /etc/ssl/private |
663 | - |
664 | - # Default ciphers to use on SSL-enabled listening sockets. |
665 | - # For more information, see ciphers(1SSL). This list is from: |
666 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
667 | - # An alternative list with additional directives can be obtained from |
668 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
669 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
670 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
671 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
672 | - tune.ssl.default-dh-param 2048 |
673 | - |
674 | - # Increase the SSL/TLS session cache from the default 20k. But |
675 | - # rather than hardcode values, let's just set it to match |
676 | - # global_max_connections (which by default is calculated using |
677 | - # num. of CPU cores and num. of configured sites). Each entry |
678 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
679 | - # each with 2000 max conns will only consume around 122 Mbytes |
680 | - # (32 * 10 * 2000 * 200), which is not much. |
681 | - tune.ssl.cachesize 104000 |
682 | + nbthread 4 |
683 | + maxconn 104000 |
684 | + log /dev/log local0 |
685 | + log /dev/log local1 notice |
686 | + chroot /var/lib/haproxy |
687 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
688 | + stats timeout 30s |
689 | + server-state-file /run/haproxy/saved-server-state |
690 | + user haproxy |
691 | + group haproxy |
692 | + daemon |
693 | + |
694 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
695 | + # and kill them off. |
696 | + hard-stop-after 15m |
697 | + |
698 | + # Default SSL material locations |
699 | + ca-base /etc/ssl/certs |
700 | + crt-base /etc/ssl/private |
701 | + |
702 | + # Default ciphers to use on SSL-enabled listening sockets. |
703 | + # For more information, see ciphers(1SSL). This list is from: |
704 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
705 | + # An alternative list with additional directives can be obtained from |
706 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
707 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
708 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
709 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
710 | + tune.ssl.default-dh-param 2048 |
711 | + |
712 | + # Increase the SSL/TLS session cache from the default 20k. But |
713 | + # rather than hardcode values, let's just set it to match |
714 | + # global_max_connections (which by default is calculated using |
715 | + # num. of CPU cores and num. of configured sites). Each entry |
716 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
717 | + # each with 2000 max conns will only consume around 122 Mbytes |
718 | + # (32 * 10 * 2000 * 200), which is not much. |
719 | + tune.ssl.cachesize 104000 |
720 | |
721 | defaults |
722 | - log global |
723 | - maxconn 8000 |
724 | - mode http |
725 | - option dontlognull |
726 | - timeout connect 5s |
727 | - timeout client 50s |
728 | - timeout server 50s |
729 | - errorfile 400 /etc/haproxy/errors/400.http |
730 | - errorfile 403 /etc/haproxy/errors/403.http |
731 | - errorfile 408 /etc/haproxy/errors/408.http |
732 | - errorfile 500 /etc/haproxy/errors/500.http |
733 | - errorfile 502 /etc/haproxy/errors/502.http |
734 | - errorfile 503 /etc/haproxy/errors/503.http |
735 | - errorfile 504 /etc/haproxy/errors/504.http |
736 | - load-server-state-from-file global |
737 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
738 | - unique-id-header X-Cache-Request-ID |
739 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
740 | + log global |
741 | + maxconn 8000 |
742 | + mode http |
743 | + option dontlognull |
744 | + timeout connect 5s |
745 | + timeout client 50s |
746 | + timeout server 50s |
747 | + errorfile 400 /etc/haproxy/errors/400.http |
748 | + errorfile 403 /etc/haproxy/errors/403.http |
749 | + errorfile 408 /etc/haproxy/errors/408.http |
750 | + errorfile 500 /etc/haproxy/errors/500.http |
751 | + errorfile 502 /etc/haproxy/errors/502.http |
752 | + errorfile 503 /etc/haproxy/errors/503.http |
753 | + errorfile 504 /etc/haproxy/errors/504.http |
754 | + load-server-state-from-file global |
755 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
756 | + unique-id-header X-Cache-Request-ID |
757 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
758 | |
759 | resolvers dns |
760 | - nameserver dns1 127.0.0.53:53 |
761 | - resolve_retries 3 |
762 | - timeout resolve 3s |
763 | - timeout retry 3s |
764 | - accepted_payload_size 8192 |
765 | + nameserver dns1 127.0.0.53:53 |
766 | + resolve_retries 3 |
767 | + timeout resolve 3s |
768 | + timeout retry 3s |
769 | + accepted_payload_size 8192 |
770 | |
771 | listen stats |
772 | - bind 127.0.0.1:10000 |
773 | - acl allowed_cidr src 127.0.0.0/8 |
774 | - http-request deny unless allowed_cidr |
775 | - |
776 | - mode http |
777 | - stats enable |
778 | - stats uri / |
779 | - stats realm Haproxy\ Statistics |
780 | - stats auth haproxy:biometricsarenotsecret |
781 | - stats refresh 3 |
782 | + bind 127.0.0.1:10000 |
783 | + acl allowed_cidr src 127.0.0.0/8 |
784 | + http-request deny unless allowed_cidr |
785 | + |
786 | + mode http |
787 | + stats enable |
788 | + stats uri / |
789 | + stats realm Haproxy\ Statistics |
790 | + stats auth haproxy:biometricsarenotsecret |
791 | + stats refresh 3 |
792 | |
793 | |
794 | listen combined-80 |
795 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt |
796 | index 4ad1982..d42878a 100644 |
797 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt |
798 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_backup.txt |
799 | @@ -1,81 +1,81 @@ |
800 | global |
801 | - nbthread 4 |
802 | - maxconn 24576 |
803 | - log /dev/log local0 |
804 | - log /dev/log local1 notice |
805 | - chroot /var/lib/haproxy |
806 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
807 | - stats timeout 30s |
808 | - server-state-file /run/haproxy/saved-server-state |
809 | - user haproxy |
810 | - group haproxy |
811 | - daemon |
812 | + nbthread 4 |
813 | + maxconn 24576 |
814 | + log /dev/log local0 |
815 | + log /dev/log local1 notice |
816 | + chroot /var/lib/haproxy |
817 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
818 | + stats timeout 30s |
819 | + server-state-file /run/haproxy/saved-server-state |
820 | + user haproxy |
821 | + group haproxy |
822 | + daemon |
823 | |
824 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
825 | - # and kill them off. |
826 | - hard-stop-after 15m |
827 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
828 | + # and kill them off. |
829 | + hard-stop-after 15m |
830 | |
831 | - # Default SSL material locations |
832 | - ca-base /etc/ssl/certs |
833 | - crt-base /etc/ssl/private |
834 | + # Default SSL material locations |
835 | + ca-base /etc/ssl/certs |
836 | + crt-base /etc/ssl/private |
837 | |
838 | - # Default ciphers to use on SSL-enabled listening sockets. |
839 | - # For more information, see ciphers(1SSL). This list is from: |
840 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
841 | - # An alternative list with additional directives can be obtained from |
842 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
843 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
844 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
845 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
846 | - tune.ssl.default-dh-param 2048 |
847 | + # Default ciphers to use on SSL-enabled listening sockets. |
848 | + # For more information, see ciphers(1SSL). This list is from: |
849 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
850 | + # An alternative list with additional directives can be obtained from |
851 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
852 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
853 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
854 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
855 | + tune.ssl.default-dh-param 2048 |
856 | |
857 | - # Increase the SSL/TLS session cache from the default 20k. But |
858 | - # rather than hardcode values, let's just set it to match |
859 | - # global_max_connections (which by default is calculated using |
860 | - # num. of CPU cores and num. of configured sites). Each entry |
861 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
862 | - # each with 2000 max conns will only consume around 122 Mbytes |
863 | - # (32 * 10 * 2000 * 200), which is not much. |
864 | - tune.ssl.cachesize 24576 |
865 | + # Increase the SSL/TLS session cache from the default 20k. But |
866 | + # rather than hardcode values, let's just set it to match |
867 | + # global_max_connections (which by default is calculated using |
868 | + # num. of CPU cores and num. of configured sites). Each entry |
869 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
870 | + # each with 2000 max conns will only consume around 122 Mbytes |
871 | + # (32 * 10 * 2000 * 200), which is not much. |
872 | + tune.ssl.cachesize 24576 |
873 | |
874 | defaults |
875 | - log global |
876 | - maxconn 8192 |
877 | - mode http |
878 | - option dontlognull |
879 | - timeout connect 5s |
880 | - timeout client 50s |
881 | - timeout server 50s |
882 | - errorfile 400 /etc/haproxy/errors/400.http |
883 | - errorfile 403 /etc/haproxy/errors/403.http |
884 | - errorfile 408 /etc/haproxy/errors/408.http |
885 | - errorfile 500 /etc/haproxy/errors/500.http |
886 | - errorfile 502 /etc/haproxy/errors/502.http |
887 | - errorfile 503 /etc/haproxy/errors/503.http |
888 | - errorfile 504 /etc/haproxy/errors/504.http |
889 | - load-server-state-from-file global |
890 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
891 | - unique-id-header X-Cache-Request-ID |
892 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
893 | + log global |
894 | + maxconn 8192 |
895 | + mode http |
896 | + option dontlognull |
897 | + timeout connect 5s |
898 | + timeout client 50s |
899 | + timeout server 50s |
900 | + errorfile 400 /etc/haproxy/errors/400.http |
901 | + errorfile 403 /etc/haproxy/errors/403.http |
902 | + errorfile 408 /etc/haproxy/errors/408.http |
903 | + errorfile 500 /etc/haproxy/errors/500.http |
904 | + errorfile 502 /etc/haproxy/errors/502.http |
905 | + errorfile 503 /etc/haproxy/errors/503.http |
906 | + errorfile 504 /etc/haproxy/errors/504.http |
907 | + load-server-state-from-file global |
908 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
909 | + unique-id-header X-Cache-Request-ID |
910 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
911 | |
912 | resolvers dns |
913 | - nameserver dns1 127.0.0.53:53 |
914 | - resolve_retries 3 |
915 | - timeout resolve 3s |
916 | - timeout retry 3s |
917 | - accepted_payload_size 8192 |
918 | + nameserver dns1 127.0.0.53:53 |
919 | + resolve_retries 3 |
920 | + timeout resolve 3s |
921 | + timeout retry 3s |
922 | + accepted_payload_size 8192 |
923 | |
924 | listen stats |
925 | - bind 127.0.0.1:10000 |
926 | - acl allowed_cidr src 127.0.0.0/8 |
927 | - http-request deny unless allowed_cidr |
928 | + bind 127.0.0.1:10000 |
929 | + acl allowed_cidr src 127.0.0.0/8 |
930 | + http-request deny unless allowed_cidr |
931 | |
932 | - mode http |
933 | - stats enable |
934 | - stats uri / |
935 | - stats realm Haproxy\ Statistics |
936 | - stats auth haproxy:biometricsarenotsecret |
937 | - stats refresh 3 |
938 | + mode http |
939 | + stats enable |
940 | + stats uri / |
941 | + stats realm Haproxy\ Statistics |
942 | + stats auth haproxy:biometricsarenotsecret |
943 | + stats refresh 3 |
944 | |
945 | |
946 | listen cached-site1-local |
947 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt |
948 | index 14380ea..c17ee47 100644 |
949 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt |
950 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt |
951 | @@ -1,81 +1,81 @@ |
952 | global |
953 | - nbthread 4 |
954 | - maxconn 106496 |
955 | - log /dev/log local0 |
956 | - log /dev/log local1 notice |
957 | - chroot /var/lib/haproxy |
958 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
959 | - stats timeout 30s |
960 | - server-state-file /run/haproxy/saved-server-state |
961 | - user haproxy |
962 | - group haproxy |
963 | - daemon |
964 | - |
965 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
966 | - # and kill them off. |
967 | - hard-stop-after 15m |
968 | - |
969 | - # Default SSL material locations |
970 | - ca-base /etc/ssl/certs |
971 | - crt-base /etc/ssl/private |
972 | - |
973 | - # Default ciphers to use on SSL-enabled listening sockets. |
974 | - # For more information, see ciphers(1SSL). This list is from: |
975 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
976 | - # An alternative list with additional directives can be obtained from |
977 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
978 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
979 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
980 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
981 | - tune.ssl.default-dh-param 2048 |
982 | - |
983 | - # Increase the SSL/TLS session cache from the default 20k. But |
984 | - # rather than hardcode values, let's just set it to match |
985 | - # global_max_connections (which by default is calculated using |
986 | - # num. of CPU cores and num. of configured sites). Each entry |
987 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
988 | - # each with 2000 max conns will only consume around 122 Mbytes |
989 | - # (32 * 10 * 2000 * 200), which is not much. |
990 | - tune.ssl.cachesize 106496 |
991 | + nbthread 4 |
992 | + maxconn 106496 |
993 | + log /dev/log local0 |
994 | + log /dev/log local1 notice |
995 | + chroot /var/lib/haproxy |
996 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
997 | + stats timeout 30s |
998 | + server-state-file /run/haproxy/saved-server-state |
999 | + user haproxy |
1000 | + group haproxy |
1001 | + daemon |
1002 | + |
1003 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1004 | + # and kill them off. |
1005 | + hard-stop-after 15m |
1006 | + |
1007 | + # Default SSL material locations |
1008 | + ca-base /etc/ssl/certs |
1009 | + crt-base /etc/ssl/private |
1010 | + |
1011 | + # Default ciphers to use on SSL-enabled listening sockets. |
1012 | + # For more information, see ciphers(1SSL). This list is from: |
1013 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1014 | + # An alternative list with additional directives can be obtained from |
1015 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1016 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1017 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1018 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1019 | + tune.ssl.default-dh-param 2048 |
1020 | + |
1021 | + # Increase the SSL/TLS session cache from the default 20k. But |
1022 | + # rather than hardcode values, let's just set it to match |
1023 | + # global_max_connections (which by default is calculated using |
1024 | + # num. of CPU cores and num. of configured sites). Each entry |
1025 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1026 | + # each with 2000 max conns will only consume around 122 Mbytes |
1027 | + # (32 * 10 * 2000 * 200), which is not much. |
1028 | + tune.ssl.cachesize 106496 |
1029 | |
1030 | defaults |
1031 | - log global |
1032 | - maxconn 8192 |
1033 | - mode http |
1034 | - option dontlognull |
1035 | - timeout connect 5s |
1036 | - timeout client 50s |
1037 | - timeout server 50s |
1038 | - errorfile 400 /etc/haproxy/errors/400.http |
1039 | - errorfile 403 /etc/haproxy/errors/403.http |
1040 | - errorfile 408 /etc/haproxy/errors/408.http |
1041 | - errorfile 500 /etc/haproxy/errors/500.http |
1042 | - errorfile 502 /etc/haproxy/errors/502.http |
1043 | - errorfile 503 /etc/haproxy/errors/503.http |
1044 | - errorfile 504 /etc/haproxy/errors/504.http |
1045 | - load-server-state-from-file global |
1046 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1047 | - unique-id-header X-Cache-Request-ID |
1048 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1049 | + log global |
1050 | + maxconn 8192 |
1051 | + mode http |
1052 | + option dontlognull |
1053 | + timeout connect 5s |
1054 | + timeout client 50s |
1055 | + timeout server 50s |
1056 | + errorfile 400 /etc/haproxy/errors/400.http |
1057 | + errorfile 403 /etc/haproxy/errors/403.http |
1058 | + errorfile 408 /etc/haproxy/errors/408.http |
1059 | + errorfile 500 /etc/haproxy/errors/500.http |
1060 | + errorfile 502 /etc/haproxy/errors/502.http |
1061 | + errorfile 503 /etc/haproxy/errors/503.http |
1062 | + errorfile 504 /etc/haproxy/errors/504.http |
1063 | + load-server-state-from-file global |
1064 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1065 | + unique-id-header X-Cache-Request-ID |
1066 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1067 | |
1068 | resolvers dns |
1069 | - nameserver dns1 127.0.0.53:53 |
1070 | - resolve_retries 3 |
1071 | - timeout resolve 3s |
1072 | - timeout retry 3s |
1073 | - accepted_payload_size 8192 |
1074 | + nameserver dns1 127.0.0.53:53 |
1075 | + resolve_retries 3 |
1076 | + timeout resolve 3s |
1077 | + timeout retry 3s |
1078 | + accepted_payload_size 8192 |
1079 | |
1080 | listen stats |
1081 | - bind 127.0.0.1:10000 |
1082 | - acl allowed_cidr src 127.0.0.0/8 |
1083 | - http-request deny unless allowed_cidr |
1084 | - |
1085 | - mode http |
1086 | - stats enable |
1087 | - stats uri / |
1088 | - stats realm Haproxy\ Statistics |
1089 | - stats auth haproxy:biometricsarenotsecret |
1090 | - stats refresh 3 |
1091 | + bind 127.0.0.1:10000 |
1092 | + acl allowed_cidr src 127.0.0.0/8 |
1093 | + http-request deny unless allowed_cidr |
1094 | + |
1095 | + mode http |
1096 | + stats enable |
1097 | + stats uri / |
1098 | + stats realm Haproxy\ Statistics |
1099 | + stats auth haproxy:biometricsarenotsecret |
1100 | + stats refresh 3 |
1101 | |
1102 | |
1103 | listen combined-80 |
1104 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt |
1105 | index 72d1109..a27ff31 100644 |
1106 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt |
1107 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt |
1108 | @@ -1,82 +1,82 @@ |
1109 | global |
1110 | - nbproc 3 |
1111 | - nbthread 10 |
1112 | - maxconn 260000 |
1113 | - log /dev/log local0 |
1114 | - log /dev/log local1 notice |
1115 | - chroot /var/lib/haproxy |
1116 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1117 | - stats timeout 30s |
1118 | - server-state-file /run/haproxy/saved-server-state |
1119 | - user haproxy |
1120 | - group haproxy |
1121 | - daemon |
1122 | - |
1123 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1124 | - # and kill them off. |
1125 | - hard-stop-after 15m |
1126 | - |
1127 | - # Default SSL material locations |
1128 | - ca-base /etc/ssl/certs |
1129 | - crt-base /etc/ssl/private |
1130 | - |
1131 | - # Default ciphers to use on SSL-enabled listening sockets. |
1132 | - # For more information, see ciphers(1SSL). This list is from: |
1133 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1134 | - # An alternative list with additional directives can be obtained from |
1135 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1136 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1137 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1138 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1139 | - tune.ssl.default-dh-param 2048 |
1140 | - |
1141 | - # Increase the SSL/TLS session cache from the default 20k. But |
1142 | - # rather than hardcode values, let's just set it to match |
1143 | - # global_max_connections (which by default is calculated using |
1144 | - # num. of CPU cores and num. of configured sites). Each entry |
1145 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1146 | - # each with 2000 max conns will only consume around 122 Mbytes |
1147 | - # (32 * 10 * 2000 * 200), which is not much. |
1148 | - tune.ssl.cachesize 260000 |
1149 | + nbproc 3 |
1150 | + nbthread 10 |
1151 | + maxconn 260000 |
1152 | + log /dev/log local0 |
1153 | + log /dev/log local1 notice |
1154 | + chroot /var/lib/haproxy |
1155 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1156 | + stats timeout 30s |
1157 | + server-state-file /run/haproxy/saved-server-state |
1158 | + user haproxy |
1159 | + group haproxy |
1160 | + daemon |
1161 | + |
1162 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1163 | + # and kill them off. |
1164 | + hard-stop-after 15m |
1165 | + |
1166 | + # Default SSL material locations |
1167 | + ca-base /etc/ssl/certs |
1168 | + crt-base /etc/ssl/private |
1169 | + |
1170 | + # Default ciphers to use on SSL-enabled listening sockets. |
1171 | + # For more information, see ciphers(1SSL). This list is from: |
1172 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1173 | + # An alternative list with additional directives can be obtained from |
1174 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1175 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1176 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1177 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1178 | + tune.ssl.default-dh-param 2048 |
1179 | + |
1180 | + # Increase the SSL/TLS session cache from the default 20k. But |
1181 | + # rather than hardcode values, let's just set it to match |
1182 | + # global_max_connections (which by default is calculated using |
1183 | + # num. of CPU cores and num. of configured sites). Each entry |
1184 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1185 | + # each with 2000 max conns will only consume around 122 Mbytes |
1186 | + # (32 * 10 * 2000 * 200), which is not much. |
1187 | + tune.ssl.cachesize 260000 |
1188 | |
1189 | defaults |
1190 | - log global |
1191 | - maxconn 20000 |
1192 | - mode http |
1193 | - option dontlognull |
1194 | - timeout connect 5s |
1195 | - timeout client 50s |
1196 | - timeout server 50s |
1197 | - errorfile 400 /etc/haproxy/errors/400.http |
1198 | - errorfile 403 /etc/haproxy/errors/403.http |
1199 | - errorfile 408 /etc/haproxy/errors/408.http |
1200 | - errorfile 500 /etc/haproxy/errors/500.http |
1201 | - errorfile 502 /etc/haproxy/errors/502.http |
1202 | - errorfile 503 /etc/haproxy/errors/503.http |
1203 | - errorfile 504 /etc/haproxy/errors/504.http |
1204 | - load-server-state-from-file global |
1205 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1206 | - unique-id-header X-Cache-Request-ID |
1207 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1208 | + log global |
1209 | + maxconn 20000 |
1210 | + mode http |
1211 | + option dontlognull |
1212 | + timeout connect 5s |
1213 | + timeout client 50s |
1214 | + timeout server 50s |
1215 | + errorfile 400 /etc/haproxy/errors/400.http |
1216 | + errorfile 403 /etc/haproxy/errors/403.http |
1217 | + errorfile 408 /etc/haproxy/errors/408.http |
1218 | + errorfile 500 /etc/haproxy/errors/500.http |
1219 | + errorfile 502 /etc/haproxy/errors/502.http |
1220 | + errorfile 503 /etc/haproxy/errors/503.http |
1221 | + errorfile 504 /etc/haproxy/errors/504.http |
1222 | + load-server-state-from-file global |
1223 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1224 | + unique-id-header X-Cache-Request-ID |
1225 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1226 | |
1227 | resolvers dns |
1228 | - nameserver dns1 127.0.0.53:53 |
1229 | - resolve_retries 3 |
1230 | - timeout resolve 3s |
1231 | - timeout retry 3s |
1232 | - accepted_payload_size 8192 |
1233 | + nameserver dns1 127.0.0.53:53 |
1234 | + resolve_retries 3 |
1235 | + timeout resolve 3s |
1236 | + timeout retry 3s |
1237 | + accepted_payload_size 8192 |
1238 | |
1239 | listen stats |
1240 | - bind 127.0.0.1:10000 |
1241 | - acl allowed_cidr src 127.0.0.0/8 |
1242 | - http-request deny unless allowed_cidr |
1243 | - |
1244 | - mode http |
1245 | - stats enable |
1246 | - stats uri / |
1247 | - stats realm Haproxy\ Statistics |
1248 | - stats auth haproxy:biometricsarenotsecret |
1249 | - stats refresh 3 |
1250 | + bind 127.0.0.1:10000 |
1251 | + acl allowed_cidr src 127.0.0.0/8 |
1252 | + http-request deny unless allowed_cidr |
1253 | + |
1254 | + mode http |
1255 | + stats enable |
1256 | + stats uri / |
1257 | + stats realm Haproxy\ Statistics |
1258 | + stats auth haproxy:biometricsarenotsecret |
1259 | + stats refresh 3 |
1260 | |
1261 | |
1262 | listen combined-80 |
1263 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt |
1264 | index 015bc9c..2a6ee1a 100644 |
1265 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt |
1266 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt |
1267 | @@ -1,81 +1,81 @@ |
1268 | global |
1269 | - nbthread 30 |
1270 | - maxconn 524288 |
1271 | - log /dev/log local0 |
1272 | - log /dev/log local1 notice |
1273 | - chroot /var/lib/haproxy |
1274 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1275 | - stats timeout 30s |
1276 | - server-state-file /run/haproxy/saved-server-state |
1277 | - user haproxy |
1278 | - group haproxy |
1279 | - daemon |
1280 | - |
1281 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1282 | - # and kill them off. |
1283 | - hard-stop-after 15m |
1284 | - |
1285 | - # Default SSL material locations |
1286 | - ca-base /etc/ssl/certs |
1287 | - crt-base /etc/ssl/private |
1288 | - |
1289 | - # Default ciphers to use on SSL-enabled listening sockets. |
1290 | - # For more information, see ciphers(1SSL). This list is from: |
1291 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1292 | - # An alternative list with additional directives can be obtained from |
1293 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1294 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1295 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1296 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1297 | - tune.ssl.default-dh-param 2048 |
1298 | - |
1299 | - # Increase the SSL/TLS session cache from the default 20k. But |
1300 | - # rather than hardcode values, let's just set it to match |
1301 | - # global_max_connections (which by default is calculated using |
1302 | - # num. of CPU cores and num. of configured sites). Each entry |
1303 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1304 | - # each with 2000 max conns will only consume around 122 Mbytes |
1305 | - # (32 * 10 * 2000 * 200), which is not much. |
1306 | - tune.ssl.cachesize 524288 |
1307 | + nbthread 30 |
1308 | + maxconn 524288 |
1309 | + log /dev/log local0 |
1310 | + log /dev/log local1 notice |
1311 | + chroot /var/lib/haproxy |
1312 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1313 | + stats timeout 30s |
1314 | + server-state-file /run/haproxy/saved-server-state |
1315 | + user haproxy |
1316 | + group haproxy |
1317 | + daemon |
1318 | + |
1319 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1320 | + # and kill them off. |
1321 | + hard-stop-after 15m |
1322 | + |
1323 | + # Default SSL material locations |
1324 | + ca-base /etc/ssl/certs |
1325 | + crt-base /etc/ssl/private |
1326 | + |
1327 | + # Default ciphers to use on SSL-enabled listening sockets. |
1328 | + # For more information, see ciphers(1SSL). This list is from: |
1329 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1330 | + # An alternative list with additional directives can be obtained from |
1331 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1332 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1333 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1334 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1335 | + tune.ssl.default-dh-param 2048 |
1336 | + |
1337 | + # Increase the SSL/TLS session cache from the default 20k. But |
1338 | + # rather than hardcode values, let's just set it to match |
1339 | + # global_max_connections (which by default is calculated using |
1340 | + # num. of CPU cores and num. of configured sites). Each entry |
1341 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1342 | + # each with 2000 max conns will only consume around 122 Mbytes |
1343 | + # (32 * 10 * 2000 * 200), which is not much. |
1344 | + tune.ssl.cachesize 524288 |
1345 | |
1346 | defaults |
1347 | - log global |
1348 | - maxconn 60000 |
1349 | - mode http |
1350 | - option dontlognull |
1351 | - timeout connect 5s |
1352 | - timeout client 50s |
1353 | - timeout server 50s |
1354 | - errorfile 400 /etc/haproxy/errors/400.http |
1355 | - errorfile 403 /etc/haproxy/errors/403.http |
1356 | - errorfile 408 /etc/haproxy/errors/408.http |
1357 | - errorfile 500 /etc/haproxy/errors/500.http |
1358 | - errorfile 502 /etc/haproxy/errors/502.http |
1359 | - errorfile 503 /etc/haproxy/errors/503.http |
1360 | - errorfile 504 /etc/haproxy/errors/504.http |
1361 | - load-server-state-from-file global |
1362 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1363 | - unique-id-header X-Cache-Request-ID |
1364 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1365 | + log global |
1366 | + maxconn 60000 |
1367 | + mode http |
1368 | + option dontlognull |
1369 | + timeout connect 5s |
1370 | + timeout client 50s |
1371 | + timeout server 50s |
1372 | + errorfile 400 /etc/haproxy/errors/400.http |
1373 | + errorfile 403 /etc/haproxy/errors/403.http |
1374 | + errorfile 408 /etc/haproxy/errors/408.http |
1375 | + errorfile 500 /etc/haproxy/errors/500.http |
1376 | + errorfile 502 /etc/haproxy/errors/502.http |
1377 | + errorfile 503 /etc/haproxy/errors/503.http |
1378 | + errorfile 504 /etc/haproxy/errors/504.http |
1379 | + load-server-state-from-file global |
1380 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1381 | + unique-id-header X-Cache-Request-ID |
1382 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1383 | |
1384 | resolvers dns |
1385 | - nameserver dns1 127.0.0.53:53 |
1386 | - resolve_retries 3 |
1387 | - timeout resolve 3s |
1388 | - timeout retry 3s |
1389 | - accepted_payload_size 8192 |
1390 | + nameserver dns1 127.0.0.53:53 |
1391 | + resolve_retries 3 |
1392 | + timeout resolve 3s |
1393 | + timeout retry 3s |
1394 | + accepted_payload_size 8192 |
1395 | |
1396 | listen stats |
1397 | - bind 127.0.0.1:10000 |
1398 | - acl allowed_cidr src 127.0.0.0/8 |
1399 | - http-request deny unless allowed_cidr |
1400 | - |
1401 | - mode http |
1402 | - stats enable |
1403 | - stats uri / |
1404 | - stats realm Haproxy\ Statistics |
1405 | - stats auth haproxy:biometricsarenotsecret |
1406 | - stats refresh 3 |
1407 | + bind 127.0.0.1:10000 |
1408 | + acl allowed_cidr src 127.0.0.0/8 |
1409 | + http-request deny unless allowed_cidr |
1410 | + |
1411 | + mode http |
1412 | + stats enable |
1413 | + stats uri / |
1414 | + stats realm Haproxy\ Statistics |
1415 | + stats auth haproxy:biometricsarenotsecret |
1416 | + stats refresh 3 |
1417 | |
1418 | |
1419 | listen combined-80 |
1420 | diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt |
1421 | index bc80f29..8a219b5 100644 |
1422 | --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt |
1423 | +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_srv_template.txt |
1424 | @@ -1,81 +1,81 @@ |
1425 | global |
1426 | - nbthread 4 |
1427 | - maxconn 16384 |
1428 | - log /dev/log local0 |
1429 | - log /dev/log local1 notice |
1430 | - chroot /var/lib/haproxy |
1431 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1432 | - stats timeout 30s |
1433 | - server-state-file /run/haproxy/saved-server-state |
1434 | - user haproxy |
1435 | - group haproxy |
1436 | - daemon |
1437 | + nbthread 4 |
1438 | + maxconn 16384 |
1439 | + log /dev/log local0 |
1440 | + log /dev/log local1 notice |
1441 | + chroot /var/lib/haproxy |
1442 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1443 | + stats timeout 30s |
1444 | + server-state-file /run/haproxy/saved-server-state |
1445 | + user haproxy |
1446 | + group haproxy |
1447 | + daemon |
1448 | |
1449 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1450 | - # and kill them off. |
1451 | - hard-stop-after 15m |
1452 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1453 | + # and kill them off. |
1454 | + hard-stop-after 15m |
1455 | |
1456 | - # Default SSL material locations |
1457 | - ca-base /etc/ssl/certs |
1458 | - crt-base /etc/ssl/private |
1459 | + # Default SSL material locations |
1460 | + ca-base /etc/ssl/certs |
1461 | + crt-base /etc/ssl/private |
1462 | |
1463 | - # Default ciphers to use on SSL-enabled listening sockets. |
1464 | - # For more information, see ciphers(1SSL). This list is from: |
1465 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1466 | - # An alternative list with additional directives can be obtained from |
1467 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1468 | - ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1469 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1470 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1471 | - tune.ssl.default-dh-param 2048 |
1472 | + # Default ciphers to use on SSL-enabled listening sockets. |
1473 | + # For more information, see ciphers(1SSL). This list is from: |
1474 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1475 | + # An alternative list with additional directives can be obtained from |
1476 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1477 | + ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!SSLv3:!TLSv1 |
1478 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1479 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1480 | + tune.ssl.default-dh-param 2048 |
1481 | |
1482 | - # Increase the SSL/TLS session cache from the default 20k. But |
1483 | - # rather than hardcode values, let's just set it to match |
1484 | - # global_max_connections (which by default is calculated using |
1485 | - # num. of CPU cores and num. of configured sites). Each entry |
1486 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1487 | - # each with 2000 max conns will only consume around 122 Mbytes |
1488 | - # (32 * 10 * 2000 * 200), which is not much. |
1489 | - tune.ssl.cachesize 16384 |
1490 | + # Increase the SSL/TLS session cache from the default 20k. But |
1491 | + # rather than hardcode values, let's just set it to match |
1492 | + # global_max_connections (which by default is calculated using |
1493 | + # num. of CPU cores and num. of configured sites). Each entry |
1494 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1495 | + # each with 2000 max conns will only consume around 122 Mbytes |
1496 | + # (32 * 10 * 2000 * 200), which is not much. |
1497 | + tune.ssl.cachesize 16384 |
1498 | |
1499 | defaults |
1500 | - log global |
1501 | - maxconn 8192 |
1502 | - mode http |
1503 | - option dontlognull |
1504 | - timeout connect 5s |
1505 | - timeout client 50s |
1506 | - timeout server 50s |
1507 | - errorfile 400 /etc/haproxy/errors/400.http |
1508 | - errorfile 403 /etc/haproxy/errors/403.http |
1509 | - errorfile 408 /etc/haproxy/errors/408.http |
1510 | - errorfile 500 /etc/haproxy/errors/500.http |
1511 | - errorfile 502 /etc/haproxy/errors/502.http |
1512 | - errorfile 503 /etc/haproxy/errors/503.http |
1513 | - errorfile 504 /etc/haproxy/errors/504.http |
1514 | - load-server-state-from-file global |
1515 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1516 | - unique-id-header X-Cache-Request-ID |
1517 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1518 | + log global |
1519 | + maxconn 8192 |
1520 | + mode http |
1521 | + option dontlognull |
1522 | + timeout connect 5s |
1523 | + timeout client 50s |
1524 | + timeout server 50s |
1525 | + errorfile 400 /etc/haproxy/errors/400.http |
1526 | + errorfile 403 /etc/haproxy/errors/403.http |
1527 | + errorfile 408 /etc/haproxy/errors/408.http |
1528 | + errorfile 500 /etc/haproxy/errors/500.http |
1529 | + errorfile 502 /etc/haproxy/errors/502.http |
1530 | + errorfile 503 /etc/haproxy/errors/503.http |
1531 | + errorfile 504 /etc/haproxy/errors/504.http |
1532 | + load-server-state-from-file global |
1533 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1534 | + unique-id-header X-Cache-Request-ID |
1535 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1536 | |
1537 | resolvers dns |
1538 | - nameserver dns1 127.0.0.53:53 |
1539 | - resolve_retries 3 |
1540 | - timeout resolve 3s |
1541 | - timeout retry 3s |
1542 | - accepted_payload_size 8192 |
1543 | + nameserver dns1 127.0.0.53:53 |
1544 | + resolve_retries 3 |
1545 | + timeout resolve 3s |
1546 | + timeout retry 3s |
1547 | + accepted_payload_size 8192 |
1548 | |
1549 | listen stats |
1550 | - bind 127.0.0.1:10000 |
1551 | - acl allowed_cidr src 127.0.0.0/8 |
1552 | - http-request deny unless allowed_cidr |
1553 | + bind 127.0.0.1:10000 |
1554 | + acl allowed_cidr src 127.0.0.0/8 |
1555 | + http-request deny unless allowed_cidr |
1556 | |
1557 | - mode http |
1558 | - stats enable |
1559 | - stats uri / |
1560 | - stats realm Haproxy\ Statistics |
1561 | - stats auth haproxy:biometricsarenotsecret |
1562 | - stats refresh 3 |
1563 | + mode http |
1564 | + stats enable |
1565 | + stats uri / |
1566 | + stats realm Haproxy\ Statistics |
1567 | + stats auth haproxy:biometricsarenotsecret |
1568 | + stats refresh 3 |
1569 | |
1570 | |
1571 | listen cached-site1-local |
1572 | diff --git a/tests/unit/files/haproxy_config_rendered_test_output.txt b/tests/unit/files/haproxy_config_rendered_test_output.txt |
1573 | index 8badf52..dd6b279 100644 |
1574 | --- a/tests/unit/files/haproxy_config_rendered_test_output.txt |
1575 | +++ b/tests/unit/files/haproxy_config_rendered_test_output.txt |
1576 | @@ -1,82 +1,82 @@ |
1577 | global |
1578 | - nbproc 2 |
1579 | - nbthread 4 |
1580 | - maxconn 15000 |
1581 | - log /dev/log local0 |
1582 | - log /dev/log local1 notice |
1583 | - chroot /var/lib/haproxy |
1584 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1585 | - stats timeout 30s |
1586 | - server-state-file /run/haproxy/saved-server-state |
1587 | - user haproxy |
1588 | - group haproxy |
1589 | - daemon |
1590 | - |
1591 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1592 | - # and kill them off. |
1593 | - hard-stop-after 5m |
1594 | - |
1595 | - # Default SSL material locations |
1596 | - ca-base /etc/ssl/certs |
1597 | - crt-base /etc/ssl/private |
1598 | - |
1599 | - # Default ciphers to use on SSL-enabled listening sockets. |
1600 | - # For more information, see ciphers(1SSL). This list is from: |
1601 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1602 | - # An alternative list with additional directives can be obtained from |
1603 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1604 | - ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS |
1605 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1606 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1607 | - tune.ssl.default-dh-param 2048 |
1608 | - |
1609 | - # Increase the SSL/TLS session cache from the default 20k. But |
1610 | - # rather than hardcode values, let's just set it to match |
1611 | - # global_max_connections (which by default is calculated using |
1612 | - # num. of CPU cores and num. of configured sites). Each entry |
1613 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1614 | - # each with 2000 max conns will only consume around 122 Mbytes |
1615 | - # (32 * 10 * 2000 * 200), which is not much. |
1616 | - tune.ssl.cachesize 15000 |
1617 | + nbproc 2 |
1618 | + nbthread 4 |
1619 | + maxconn 15000 |
1620 | + log /dev/log local0 |
1621 | + log /dev/log local1 notice |
1622 | + chroot /var/lib/haproxy |
1623 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1624 | + stats timeout 30s |
1625 | + server-state-file /run/haproxy/saved-server-state |
1626 | + user haproxy |
1627 | + group haproxy |
1628 | + daemon |
1629 | + |
1630 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1631 | + # and kill them off. |
1632 | + hard-stop-after 5m |
1633 | + |
1634 | + # Default SSL material locations |
1635 | + ca-base /etc/ssl/certs |
1636 | + crt-base /etc/ssl/private |
1637 | + |
1638 | + # Default ciphers to use on SSL-enabled listening sockets. |
1639 | + # For more information, see ciphers(1SSL). This list is from: |
1640 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1641 | + # An alternative list with additional directives can be obtained from |
1642 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1643 | + ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS |
1644 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1645 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1646 | + tune.ssl.default-dh-param 2048 |
1647 | + |
1648 | + # Increase the SSL/TLS session cache from the default 20k. But |
1649 | + # rather than hardcode values, let's just set it to match |
1650 | + # global_max_connections (which by default is calculated using |
1651 | + # num. of CPU cores and num. of configured sites). Each entry |
1652 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1653 | + # each with 2000 max conns will only consume around 122 Mbytes |
1654 | + # (32 * 10 * 2000 * 200), which is not much. |
1655 | + tune.ssl.cachesize 15000 |
1656 | |
1657 | defaults |
1658 | - log global |
1659 | - maxconn 5000 |
1660 | - mode http |
1661 | - option dontlognull |
1662 | - timeout connect 5s |
1663 | - timeout client 50s |
1664 | - timeout server 50s |
1665 | - errorfile 400 /etc/haproxy/errors/400.http |
1666 | - errorfile 403 /etc/haproxy/errors/403.http |
1667 | - errorfile 408 /etc/haproxy/errors/408.http |
1668 | - errorfile 500 /etc/haproxy/errors/500.http |
1669 | - errorfile 502 /etc/haproxy/errors/502.http |
1670 | - errorfile 503 /etc/haproxy/errors/503.http |
1671 | - errorfile 504 /etc/haproxy/errors/504.http |
1672 | - load-server-state-from-file global |
1673 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1674 | - unique-id-header X-Cache-Request-ID |
1675 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1676 | + log global |
1677 | + maxconn 5000 |
1678 | + mode http |
1679 | + option dontlognull |
1680 | + timeout connect 5s |
1681 | + timeout client 50s |
1682 | + timeout server 50s |
1683 | + errorfile 400 /etc/haproxy/errors/400.http |
1684 | + errorfile 403 /etc/haproxy/errors/403.http |
1685 | + errorfile 408 /etc/haproxy/errors/408.http |
1686 | + errorfile 500 /etc/haproxy/errors/500.http |
1687 | + errorfile 502 /etc/haproxy/errors/502.http |
1688 | + errorfile 503 /etc/haproxy/errors/503.http |
1689 | + errorfile 504 /etc/haproxy/errors/504.http |
1690 | + load-server-state-from-file global |
1691 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1692 | + unique-id-header X-Cache-Request-ID |
1693 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1694 | |
1695 | resolvers dns |
1696 | - nameserver dns1 127.0.0.53:53 |
1697 | - resolve_retries 3 |
1698 | - timeout resolve 3s |
1699 | - timeout retry 3s |
1700 | - accepted_payload_size 8192 |
1701 | + nameserver dns1 127.0.0.53:53 |
1702 | + resolve_retries 3 |
1703 | + timeout resolve 3s |
1704 | + timeout retry 3s |
1705 | + accepted_payload_size 8192 |
1706 | |
1707 | listen stats |
1708 | - bind 127.0.0.1:10000 |
1709 | - acl allowed_cidr src 127.0.0.0/8 |
1710 | - http-request deny unless allowed_cidr |
1711 | - |
1712 | - mode http |
1713 | - stats enable |
1714 | - stats uri / |
1715 | - stats realm Haproxy\ Statistics |
1716 | - stats auth haproxy:biometricsarenotsecret |
1717 | - stats refresh 3 |
1718 | + bind 127.0.0.1:10000 |
1719 | + acl allowed_cidr src 127.0.0.0/8 |
1720 | + http-request deny unless allowed_cidr |
1721 | + |
1722 | + mode http |
1723 | + stats enable |
1724 | + stats uri / |
1725 | + stats realm Haproxy\ Statistics |
1726 | + stats auth haproxy:biometricsarenotsecret |
1727 | + stats refresh 3 |
1728 | |
1729 | |
1730 | listen combined-80 |
1731 | diff --git a/tests/unit/files/haproxy_config_rendered_test_output2.txt b/tests/unit/files/haproxy_config_rendered_test_output2.txt |
1732 | index 61a329c..4620899 100644 |
1733 | --- a/tests/unit/files/haproxy_config_rendered_test_output2.txt |
1734 | +++ b/tests/unit/files/haproxy_config_rendered_test_output2.txt |
1735 | @@ -1,82 +1,82 @@ |
1736 | global |
1737 | - nbproc 2 |
1738 | - nbthread 4 |
1739 | - maxconn 8192 |
1740 | - log /dev/log local0 |
1741 | - log /dev/log local1 notice |
1742 | - chroot /var/lib/haproxy |
1743 | - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1744 | - stats timeout 30s |
1745 | - server-state-file /run/haproxy/saved-server-state |
1746 | - user haproxy |
1747 | - group haproxy |
1748 | - daemon |
1749 | - |
1750 | - # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1751 | - # and kill them off. |
1752 | - hard-stop-after 5m |
1753 | - |
1754 | - # Default SSL material locations |
1755 | - ca-base /etc/ssl/certs |
1756 | - crt-base /etc/ssl/private |
1757 | - |
1758 | - # Default ciphers to use on SSL-enabled listening sockets. |
1759 | - # For more information, see ciphers(1SSL). This list is from: |
1760 | - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1761 | - # An alternative list with additional directives can be obtained from |
1762 | - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1763 | - ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS |
1764 | - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1765 | - # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1766 | - tune.ssl.default-dh-param 2048 |
1767 | - |
1768 | - # Increase the SSL/TLS session cache from the default 20k. But |
1769 | - # rather than hardcode values, let's just set it to match |
1770 | - # global_max_connections (which by default is calculated using |
1771 | - # num. of CPU cores and num. of configured sites). Each entry |
1772 | - # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1773 | - # each with 2000 max conns will only consume around 122 Mbytes |
1774 | - # (32 * 10 * 2000 * 200), which is not much. |
1775 | - tune.ssl.cachesize 8192 |
1776 | + nbproc 2 |
1777 | + nbthread 4 |
1778 | + maxconn 8192 |
1779 | + log /dev/log local0 |
1780 | + log /dev/log local1 notice |
1781 | + chroot /var/lib/haproxy |
1782 | + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners |
1783 | + stats timeout 30s |
1784 | + server-state-file /run/haproxy/saved-server-state |
1785 | + user haproxy |
1786 | + group haproxy |
1787 | + daemon |
1788 | + |
1789 | + # LP#1874386: Work around lingering HAProxy processes as per LP:1874386 |
1790 | + # and kill them off. |
1791 | + hard-stop-after 5m |
1792 | + |
1793 | + # Default SSL material locations |
1794 | + ca-base /etc/ssl/certs |
1795 | + crt-base /etc/ssl/private |
1796 | + |
1797 | + # Default ciphers to use on SSL-enabled listening sockets. |
1798 | + # For more information, see ciphers(1SSL). This list is from: |
1799 | + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
1800 | + # An alternative list with additional directives can be obtained from |
1801 | + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy |
1802 | + ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS |
1803 | + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 |
1804 | + # We'll eventually disable DHE (LP#1825321), but for now, bump DH params |
1805 | + tune.ssl.default-dh-param 2048 |
1806 | + |
1807 | + # Increase the SSL/TLS session cache from the default 20k. But |
1808 | + # rather than hardcode values, let's just set it to match |
1809 | + # global_max_connections (which by default is calculated using |
1810 | + # num. of CPU cores and num. of configured sites). Each entry |
1811 | + # requires ~200 bytes so on a host with say 32 CPUs, 10 sites, |
1812 | + # each with 2000 max conns will only consume around 122 Mbytes |
1813 | + # (32 * 10 * 2000 * 200), which is not much. |
1814 | + tune.ssl.cachesize 8192 |
1815 | |
1816 | defaults |
1817 | - log global |
1818 | - maxconn 5000 |
1819 | - mode http |
1820 | - option dontlognull |
1821 | - timeout connect 5s |
1822 | - timeout client 50s |
1823 | - timeout server 50s |
1824 | - errorfile 400 /etc/haproxy/errors/400.http |
1825 | - errorfile 403 /etc/haproxy/errors/403.http |
1826 | - errorfile 408 /etc/haproxy/errors/408.http |
1827 | - errorfile 500 /etc/haproxy/errors/500.http |
1828 | - errorfile 502 /etc/haproxy/errors/502.http |
1829 | - errorfile 503 /etc/haproxy/errors/503.http |
1830 | - errorfile 504 /etc/haproxy/errors/504.http |
1831 | - load-server-state-from-file global |
1832 | - unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1833 | - unique-id-header X-Cache-Request-ID |
1834 | - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1835 | + log global |
1836 | + maxconn 5000 |
1837 | + mode http |
1838 | + option dontlognull |
1839 | + timeout connect 5s |
1840 | + timeout client 50s |
1841 | + timeout server 50s |
1842 | + errorfile 400 /etc/haproxy/errors/400.http |
1843 | + errorfile 403 /etc/haproxy/errors/403.http |
1844 | + errorfile 408 /etc/haproxy/errors/408.http |
1845 | + errorfile 500 /etc/haproxy/errors/500.http |
1846 | + errorfile 502 /etc/haproxy/errors/502.http |
1847 | + errorfile 503 /etc/haproxy/errors/503.http |
1848 | + errorfile 504 /etc/haproxy/errors/504.http |
1849 | + load-server-state-from-file global |
1850 | + unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid |
1851 | + unique-id-header X-Cache-Request-ID |
1852 | + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID" |
1853 | |
1854 | resolvers dns |
1855 | - nameserver dns1 127.0.0.53:53 |
1856 | - resolve_retries 3 |
1857 | - timeout resolve 3s |
1858 | - timeout retry 3s |
1859 | - accepted_payload_size 8192 |
1860 | + nameserver dns1 127.0.0.53:53 |
1861 | + resolve_retries 3 |
1862 | + timeout resolve 3s |
1863 | + timeout retry 3s |
1864 | + accepted_payload_size 8192 |
1865 | |
1866 | listen stats |
1867 | - bind 127.0.0.1:10000 |
1868 | - acl allowed_cidr src 127.0.0.0/8 |
1869 | - http-request deny unless allowed_cidr |
1870 | - |
1871 | - mode http |
1872 | - stats enable |
1873 | - stats uri / |
1874 | - stats realm Haproxy\ Statistics |
1875 | - stats auth haproxy:biometricsarenotsecret |
1876 | - stats refresh 3 |
1877 | + bind 127.0.0.1:10000 |
1878 | + acl allowed_cidr src 127.0.0.0/8 |
1879 | + http-request deny unless allowed_cidr |
1880 | + |
1881 | + mode http |
1882 | + stats enable |
1883 | + stats uri / |
1884 | + stats realm Haproxy\ Statistics |
1885 | + stats auth haproxy:biometricsarenotsecret |
1886 | + stats refresh 3 |
1887 | |
1888 | |
1889 | listen combined-80 |
This merge proposal is being monitored by mergebot. Change the status to Approved to merge.