##---------------------------------------------------------------- ## global 2021/04/05 ##---------------------------------------------------------------- global log stdout format raw daemon debug # Replace 1024000 with deployment connections maxconn 1000 nbproc 1 nbthread 2 cpu-map auto:1/1-2 0-1 tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP # Enable the HAProxy Runtime API # e.g. echo "show table emqx_tcp_back" | sudo socat stdio tcp4-connect:172.100.239.4:9999 stats socket :9999 level admin expose-fd listeners ##---------------------------------------------------------------- ## defaults ##---------------------------------------------------------------- defaults log global mode tcp option tcplog # Replace 1024000 with deployment connections maxconn 1000 timeout connect 30000 timeout client 600s timeout server 600s ##---------------------------------------------------------------- ## API ##---------------------------------------------------------------- frontend emqx_dashboard mode tcp option tcplog bind *:18083 default_backend emqx_dashboard_back backend emqx_dashboard_back mode http # balance static-rr server emqx-1 node1.emqx.io:18083 server emqx-2 node2.emqx.io:18083 ##---------------------------------------------------------------- ## public ##---------------------------------------------------------------- frontend emqx_tcp mode tcp option tcplog bind *:1883 # Reject connections that have an invalid MQTT packet # tcp-request content reject unless { req.payload(0,0), mqtt_is_valid } default_backend emqx_tcp_back frontend emqx_ws mode tcp option tcplog bind *:8083 default_backend emqx_ws_back backend emqx_tcp_back mode tcp # Create a stick table for session persistence stick-table type string len 32 size 100k expire 30m # Use ClientID / client_identifier as persistence key stick on req.payload(0,0),mqtt_field_value(connect,client_identifier) server emqx-1 node1.emqx.io:1883 check-send-proxy send-proxy-v2 server emqx-2 node2.emqx.io:1883 check-send-proxy send-proxy-v2 backend emqx_ws_back mode tcp balance static-rr server emqx-1 node1.emqx.io:8083 check-send-proxy send-proxy-v2 server emqx-2 node2.emqx.io:8083 check-send-proxy send-proxy-v2 ##---------------------------------------------------------------- ## TLS ##---------------------------------------------------------------- frontend emqx_ssl mode tcp option tcplog bind *:8883 ssl crt /var/lib/haproxy/emqx.pem ca-file /usr/local/etc/haproxy/certs/cacert.pem verify required no-sslv3 default_backend emqx_ssl_back frontend emqx_wss mode tcp option tcplog bind *:8084 ssl crt /var/lib/haproxy/emqx.pem ca-file /usr/local/etc/haproxy/certs/cacert.pem verify required no-sslv3 default_backend emqx_wss_back backend emqx_ssl_back mode tcp balance static-rr server emqx-1 node1.emqx.io:1883 check-send-proxy send-proxy-v2-ssl-cn server emqx-2 node2.emqx.io:1883 check-send-proxy send-proxy-v2-ssl-cn backend emqx_wss_back mode tcp balance static-rr server emqx-1 node1.emqx.io:8083 check-send-proxy send-proxy-v2-ssl-cn server emqx-2 node2.emqx.io:8083 check-send-proxy send-proxy-v2-ssl-cn