kaffa/haproxy-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: HAProxy batch commands and improve routing/subdomain handling

Browse Source 
- Fix haproxy_cmd_batch to send each command on separate connection
  (HAProxy Runtime API only processes first command on single connection)
- HTTP frontend now routes to backends instead of redirecting to HTTPS
- Add subdomain detection to avoid duplicate wildcard entries
- Add reload verification with retry logic
- Optimize SSL: TLS 1.3 ciphersuites, extended session lifetime
- Add CPU steal monitoring script

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kaffa
2026-02-03 00:55:24 +09:00
parent 95aecccb03
commit 46c86b62f2
5 changed files with 81 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
conf/haproxy.cfg
View File

@@ -9,14 +9,16 @@ global
cpu-map auto:1/1-2 0-1
tune.ssl.default-dh-param 2048
tune.ssl.cachesize 100000
tune.ssl.lifetime 600
tune.ssl.lifetime 3600
tune.bufsize 32768
tune.maxrewrite 8192
tune.http.maxhdr 128
# SSL optimization
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
# ECDSA 우선 (RSA 대비 10배 빠름), AES-GCM 하드웨어 가속 활용
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options ssl-min-ver TLSv1.2
# Runtime API socket for dynamic updates
stats socket /var/run/haproxy/haproxy.sock mode 666 level admin expose-fd listeners
@@ -48,14 +50,18 @@ frontend stats
stats refresh 10s
stats admin if TRUE
# HTTP Frontend - redirect to HTTPS
# HTTP Frontend - forward to backend (same as HTTPS)
frontend http_front
bind *:80
# ACME challenge for certbot
acl is_acme path_beg /.well-known/acme-challenge/
use_backend acme_backend if is_acme
# Redirect to HTTPS
http-request redirect scheme https unless is_acme
# ACME challenge for certbot (unused - using DNS-01)
# acl is_acme path_beg /.well-known/acme-challenge/
# use_backend acme_backend if is_acme
# http-request redirect scheme https unless is_acme
# Map-based dynamic routing (same as HTTPS)
use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/domains.map)] if { req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/domains.map) -m found }
default_backend default_backend
# HTTPS Frontend
frontend https_front