forked from Kneckter/HAProxySetup
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy.cfg
162 lines (127 loc) · 7.05 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
global
external-check
insecure-fork-wanted
log /dev/log local1 notice
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
timeout connect 5s
timeout client 60s
timeout server 60s
timeout check 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend proxy_in
bind *:9100
# The stats page is not required but it should be used during the initial setup so you know it works.
stats uri /haproxy?stats
mode http
option http-use-proxy-header
option accept-invalid-http-request
# Set the max connections to the frontend higher than the default 2000
maxconn 5000
# These two ACLs are used to split game traffic to the paid proxies
acl ptc_auth hdr_dom(host) -i sso.pokemon.com
acl pgorelease hdr_dom(host) -i pgorelease.nianticlabs.com
# NAT static host names to a different backend
# This ACL looks for the port 9001 in your backendurl when Manager sends data to RDM.
acl port_rdm url_port 9001
# These two ACLs are used to drop traffic. The one that's enabled should stop iOS updates
#acl host_name hdr_dom(host) -i ispoofer.com globalplusplus.com 104.31.70.46 104.31.71.46 104.25.91.97 104.25.92.97
acl host_name hdr_dom(host) -i mesu.apple.com appldnld.apple.com apple.com
# These two ACLs are used when a Squid backend as default backend is used so you can split these out to the paid proxies
#acl auth hdr_dom(host) -i pgorelease.nianticlabs.com sso.pokemon.com
#acl gd hdr_dom(host) -i api.ipotter.cc ipotter.cc ipotter.app 104.28.10.9 104.28.11.9
# If your data usage is high, I would suggest using this ACL and the second "silent-drop" so map tiles aren't downloaded.
#acl tiles hdr_dom(host) -i maps.nianticlabs.com
# Only use one of these to drop traffic.
http-request deny if host_name
#http-request deny if host_name || tiles
# These are used to split the traffic on the paid proxies
use_backend proxy_ptc if ptc_auth
use_backend proxy_nia if pgorelease
# This line is used to send Manager traffic to RDM instead of the external proxies.
use_backend rdm if port_rdm
# This line is used when a Squid proxy is setup so we can send auth and gd requests through the paid proxies.
#use_backend proxy_out if auth || gd
# This line is used to send all traffic not related to RDM or the game to the Squid proxy on the intranet.
default_backend squid
backend rdm
# If you're setting up HAProxy on the same network, use `balance source`.
# If you're setting up HAProxy on an externally hosted server, use `balance leastconn`.
balance source
#balance leastconn
fullconn 1000
# Note that HAProxy messes up the HTTP header when sending data to RDM directly so we sent it to Nginx first.
# We used 9002 as a port that Nginx is listening to because HAProxy would try to pass the whole address as a URI.
# This assumes Nginx is installed on the same machine HAProxy is. If not, change the IP address to the server Nginx is installed on.
# A server block for Nginx is explained in the below sections.
server rdm 127.0.0.1:9002
backend squid
balance source
fullconn 10000
mode http
server squid localhost:3128
backend proxy_ptc
# If you're setting up HAProxy on the same network, use `balance source`.
# If you're setting up HAProxy on an externally hosted server, use `balance leastconn`.
balance source
#balance leastconn
# Set the max connections for each server to 1000 so you don't drop data
# This defauls to 10% of maxconn or 10% of the default (which limits it to 200 connections)
fullconn 1000
# This section of external-check settings is important for checking if your proxy IP is banned.
option external-check
external-check path "/usr/bin:/bin"
# The `external-check command` is used with the location of the file created in the next section.
external-check command /home/mapadmin/bancheck_ptc.sh
# The `reqadd Proxy-Authorization` is only needed if your proxies require authentication
# Replace base64EncodedAccountInfo with your base64 encoded username and password
# Run this command to generate the base64: echo -n "username:password" | base64
#reqadd Proxy-Authorization:\ Basic\ base64EncodedAccountInfo
# The `check inter 20s fall 3 rise 2` setting will run the ban script every 20 seconds.
# If an address fails 3 times, it will be taken down and the other addresses will get its traffic.
# It will be put back into rotation if it passes the checker twice in a row.
# Below are example proxy lines. Add them in the following format:
server proxy1 1.2.3.4:3128 check inter 20s fall 3 rise 2
server proxy2 5.6.7.8:3128 check inter 20s fall 3 rise 2
backend proxy_nia
# If you're setting up HAProxy on the same network, use `balance source`.
# If you're setting up HAProxy on an externally hosted server, use `balance leastconn`.
balance source
# Set the max connections for each server to 1000 so you don't drop data
# This defauls to 10% of maxconn or 10% of the default (which limits it to 200 connections)
fullconn 1000
# This section of external-check settings is important for checking if your proxy IP is banned.
option external-check
external-check path "/usr/bin:/bin"
# The `external-check command` is used with the location of the file created in the next section.
external-check command /home/mapadmin/bancheck_nia.sh
# The `reqadd Proxy-Authorization` is only needed if your proxies require authentication
# Replace base64EncodedAccountInfo with your base64 encoded username and password
# Run this command to generate the base64: echo -n "username:password" | base64
#reqadd Proxy-Authorization:\ Basic\ base64EncodedAccountInfo
# The `check inter 20s fall 3 rise 2` setting will run the ban script every 20 seconds.
# If an address fails 3 times, it will be taken down and the other addresses will get its traffic.
# It will be put back into rotation if it passes the checker twice in a row.
# Below are example proxy lines. Add them in the following format:
server proxy1 1.2.3.4:3128 check inter 20s fall 3 rise 2
server proxy2 5.6.7.8:3128 check inter 20s fall 3 rise 2