kaffa/haproxy-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update haproxy config and clean up domain mappings

Browse Source 
- Add X-Forwarded-For support for real client IP detection (BunnyCDN)
- Change MCP domain from mcp.inouter.com to haproxy.inouter.com
- Remove unused wildcard domains (bench, mcp, ssh)
- Add nocodb.inouter.com wildcard mapping
- Ignore runtime files (*.db, cdn-ips.lst) in .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
kaffa
2026-02-15 11:05:00 +09:00
parent dd690aedcb
commit 97af0b49e2
3 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -19,6 +19,7 @@ data/
*.db
*.db-wal
*.db-shm
conf/cdn-ips.lst
# Python
__pycache__/

9
conf/haproxy.cfg
View File

@@ -1,6 +1,4 @@
global
# Enable experimental features (HTTP/3 backend)
expose-experimental-directives
log stdout format raw local0
maxconn 100000
@@ -62,10 +60,14 @@ frontend http_front
# Set real client IP (CF-Connecting-IP if via Cloudflare, otherwise direct client IP)
http-request set-var(txn.real_ip) req.hdr(CF-Connecting-IP) if { req.hdr(CF-Connecting-IP) -m found }
http-request set-var(txn.real_ip) req.hdr(X-Forwarded-For),word(1,\,) if !{ var(txn.real_ip) -m found } { req.hdr(X-Forwarded-For) -m found }
http-request set-var(txn.real_ip) src unless { var(txn.real_ip) -m found }
http-request set-header X-Real-IP %[var(txn.real_ip)]
log-format "%[var(txn.real_ip)]:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq \"%r\""
# Per-IP concurrent connection limit (slowloris protection)
# Note: http_front and https_front have separate stick-tables, so the same
# IP is counted independently in each frontend (HTTP vs HTTPS).
# Per-IP concurrent connection limit (slowloris protection)
# Note: http_front and https_front have separate stick-tables, so the same
# IP is counted independently in each frontend (HTTP vs HTTPS).
@@ -97,6 +99,7 @@ frontend https_front
# Set real client IP (CF-Connecting-IP if via Cloudflare, otherwise direct client IP)
http-request set-var(txn.real_ip) req.hdr(CF-Connecting-IP) if { req.hdr(CF-Connecting-IP) -m found }
http-request set-var(txn.real_ip) req.hdr(X-Forwarded-For),word(1,\,) if !{ var(txn.real_ip) -m found } { req.hdr(X-Forwarded-For) -m found }
http-request set-var(txn.real_ip) src unless { var(txn.real_ip) -m found }
http-request set-header X-Real-IP %[var(txn.real_ip)]
log-format "%[var(txn.real_ip)]:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq \"%r\""
@@ -112,7 +115,7 @@ frontend https_front
# -- End shared security config --
# MCP authentication (Bearer Token or Tailscale)
acl is_mcp hdr(host) -i mcp.inouter.com
acl is_mcp hdr(host) -i haproxy.inouter.com
acl valid_token req.hdr(Authorization) -m str "Bearer dcb7963ab3ef705f6b780818f78942a100efa3b55e3d2f99c4560b65da64c426"
acl is_tailscale src 100.64.0.0/10
http-request deny deny_status 401 if is_mcp !valid_token !is_tailscale

4
conf/wildcards.map
View File

@@ -4,7 +4,5 @@
.actions.it.com pool_3
.anvil.it.com pool_9
.bench.inouter.com pool_5
.mcp.inouter.com pool_2
.nas.inouter.com pool_1
.ssh.inouter.com pool_11
.nocodb.inouter.com pool_5