global # Enable experimental features (HTTP/3 backend) expose-experimental-directives log stdout format raw local0 maxconn 100000 # Performance tuning nbthread 2 cpu-map auto:1/1-2 0-1 tune.ssl.default-dh-param 2048 tune.ssl.cachesize 100000 tune.ssl.lifetime 3600 tune.bufsize 32768 tune.maxrewrite 8192 tune.http.maxhdr 128 # SSL optimization # ECDSA 우선 (RSA 대비 10배 빠름), AES-GCM 하드웨어 가속 활용 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 ssl-default-bind-options ssl-min-ver TLSv1.2 # Runtime API socket for dynamic updates stats socket /var/run/haproxy/haproxy.sock mode 666 level admin expose-fd listeners stats socket ipv4@*:9999 level admin stats timeout 30s # Server state persistence server-state-file /var/lib/haproxy/servers.state server-state-base /var/lib/haproxy/ defaults log global mode http option dontlognull option http-keep-alive option forwardfor timeout connect 5s timeout client 30s timeout server 30s timeout http-request 10s timeout http-keep-alive 10s # Load server state on startup load-server-state-from-file global # Stats & API Dashboard frontend stats bind *:8404 stats enable stats uri /stats stats refresh 10s stats admin if TRUE # HTTP Frontend - forward to backend (same as HTTPS) frontend http_front bind *:80 # ACME challenge for certbot (unused - using DNS-01) # acl is_acme path_beg /.well-known/acme-challenge/ # use_backend acme_backend if is_acme # http-request redirect scheme https unless is_acme # 2-stage map-based routing for performance: # Stage 1: Exact match with map_str (O(log n) - fast, uses ebtree) use_backend %[req.hdr(host),lower,map_str(/usr/local/etc/haproxy/domains.map)] if { req.hdr(host),lower,map_str(/usr/local/etc/haproxy/domains.map) -m found } # Stage 2: Wildcard fallback with map_dom (O(n) - slower, but only for wildcards) use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/wildcards.map)] if { req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/wildcards.map) -m found } default_backend default_backend # HTTPS Frontend frontend https_front bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 bind quic4@:443 ssl crt /etc/haproxy/certs/ alpn h3 http-response set-header alt-svc "h3=\":443\"; ma=86400" # MCP authentication (Bearer Token or Tailscale) acl is_mcp hdr(host) -i mcp.inouter.com acl valid_token req.hdr(Authorization) -m str "Bearer dcb7963ab3ef705f6b780818f78942a100efa3b55e3d2f99c4560b65da64c426" acl is_tailscale src 100.64.0.0/10 http-request deny deny_status 401 if is_mcp !valid_token !is_tailscale # 2-stage map-based routing for performance: # Stage 1: Exact match with map_str (O(log n) - fast, uses ebtree) use_backend %[req.hdr(host),lower,map_str(/usr/local/etc/haproxy/domains.map)] if { req.hdr(host),lower,map_str(/usr/local/etc/haproxy/domains.map) -m found } # Stage 2: Wildcard fallback with map_dom (O(n) - slower, but only for wildcards) use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/wildcards.map)] if { req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/wildcards.map) -m found } default_backend default_backend # Default backend backend default_backend balance roundrobin http-request deny deny_status 503 # Pool backends (동적 도메인용) backend pool_1 balance roundrobin server-template pool_1_ 10 0.0.0.0:0 check disabled backend pool_2 balance roundrobin server-template pool_2_ 10 0.0.0.0:0 check disabled backend pool_3 balance roundrobin server-template pool_3_ 10 0.0.0.0:0 check disabled backend pool_4 balance roundrobin server-template pool_4_ 10 0.0.0.0:0 check disabled backend pool_5 balance roundrobin server-template pool_5_ 10 0.0.0.0:0 check disabled backend pool_6 balance roundrobin server-template pool_6_ 10 0.0.0.0:0 check disabled backend pool_7 balance roundrobin server-template pool_7_ 10 0.0.0.0:0 check disabled backend pool_8 balance roundrobin server-template pool_8_ 10 0.0.0.0:0 check disabled backend pool_9 balance roundrobin server-template pool_9_ 10 0.0.0.0:0 check disabled backend pool_10 balance roundrobin server-template pool_10_ 10 0.0.0.0:0 check disabled # ACME Backend (for certbot) backend acme_backend server acme 127.0.0.1:8080 backend pool_11 balance roundrobin server-template pool_11_ 10 0.0.0.0:0 check disabled backend pool_12 balance roundrobin server-template pool_12_ 10 0.0.0.0:0 check disabled backend pool_13 balance roundrobin server-template pool_13_ 10 0.0.0.0:0 check disabled backend pool_14 balance roundrobin server-template pool_14_ 10 0.0.0.0:0 check disabled backend pool_15 balance roundrobin server-template pool_15_ 10 0.0.0.0:0 check disabled backend pool_16 balance roundrobin server-template pool_16_ 10 0.0.0.0:0 check disabled backend pool_17 balance roundrobin server-template pool_17_ 10 0.0.0.0:0 check disabled backend pool_18 balance roundrobin server-template pool_18_ 10 0.0.0.0:0 check disabled backend pool_19 balance roundrobin server-template pool_19_ 10 0.0.0.0:0 check disabled backend pool_20 balance roundrobin server-template pool_20_ 10 0.0.0.0:0 check disabled backend pool_21 balance roundrobin server-template pool_21_ 10 0.0.0.0:0 check disabled backend pool_22 balance roundrobin server-template pool_22_ 10 0.0.0.0:0 check disabled backend pool_23 balance roundrobin server-template pool_23_ 10 0.0.0.0:0 check disabled backend pool_24 balance roundrobin server-template pool_24_ 10 0.0.0.0:0 check disabled backend pool_25 balance roundrobin server-template pool_25_ 10 0.0.0.0:0 check disabled backend pool_26 balance roundrobin server-template pool_26_ 10 0.0.0.0:0 check disabled backend pool_27 balance roundrobin server-template pool_27_ 10 0.0.0.0:0 check disabled backend pool_28 balance roundrobin server-template pool_28_ 10 0.0.0.0:0 check disabled backend pool_29 balance roundrobin server-template pool_29_ 10 0.0.0.0:0 check disabled backend pool_30 balance roundrobin server-template pool_30_ 10 0.0.0.0:0 check disabled backend pool_31 balance roundrobin server-template pool_31_ 10 0.0.0.0:0 check disabled backend pool_32 balance roundrobin server-template pool_32_ 10 0.0.0.0:0 check disabled backend pool_33 balance roundrobin server-template pool_33_ 10 0.0.0.0:0 check disabled backend pool_34 balance roundrobin server-template pool_34_ 10 0.0.0.0:0 check disabled backend pool_35 balance roundrobin server-template pool_35_ 10 0.0.0.0:0 check disabled backend pool_36 balance roundrobin server-template pool_36_ 10 0.0.0.0:0 check disabled backend pool_37 balance roundrobin server-template pool_37_ 10 0.0.0.0:0 check disabled backend pool_38 balance roundrobin server-template pool_38_ 10 0.0.0.0:0 check disabled backend pool_39 balance roundrobin server-template pool_39_ 10 0.0.0.0:0 check disabled backend pool_40 balance roundrobin server-template pool_40_ 10 0.0.0.0:0 check disabled backend pool_41 balance roundrobin server-template pool_41_ 10 0.0.0.0:0 check disabled backend pool_42 balance roundrobin server-template pool_42_ 10 0.0.0.0:0 check disabled backend pool_43 balance roundrobin server-template pool_43_ 10 0.0.0.0:0 check disabled backend pool_44 balance roundrobin server-template pool_44_ 10 0.0.0.0:0 check disabled backend pool_45 balance roundrobin server-template pool_45_ 10 0.0.0.0:0 check disabled backend pool_46 balance roundrobin server-template pool_46_ 10 0.0.0.0:0 check disabled backend pool_47 balance roundrobin server-template pool_47_ 10 0.0.0.0:0 check disabled backend pool_48 balance roundrobin server-template pool_48_ 10 0.0.0.0:0 check disabled backend pool_49 balance roundrobin server-template pool_49_ 10 0.0.0.0:0 check disabled backend pool_50 balance roundrobin server-template pool_50_ 10 0.0.0.0:0 check disabled backend pool_51 balance roundrobin server-template pool_51_ 10 0.0.0.0:0 check disabled backend pool_52 balance roundrobin server-template pool_52_ 10 0.0.0.0:0 check disabled backend pool_53 balance roundrobin server-template pool_53_ 10 0.0.0.0:0 check disabled backend pool_54 balance roundrobin server-template pool_54_ 10 0.0.0.0:0 check disabled backend pool_55 balance roundrobin server-template pool_55_ 10 0.0.0.0:0 check disabled backend pool_56 balance roundrobin server-template pool_56_ 10 0.0.0.0:0 check disabled backend pool_57 balance roundrobin server-template pool_57_ 10 0.0.0.0:0 check disabled backend pool_58 balance roundrobin server-template pool_58_ 10 0.0.0.0:0 check disabled backend pool_59 balance roundrobin server-template pool_59_ 10 0.0.0.0:0 check disabled backend pool_60 balance roundrobin server-template pool_60_ 10 0.0.0.0:0 check disabled backend pool_61 balance roundrobin server-template pool_61_ 10 0.0.0.0:0 check disabled backend pool_62 balance roundrobin server-template pool_62_ 10 0.0.0.0:0 check disabled backend pool_63 balance roundrobin server-template pool_63_ 10 0.0.0.0:0 check disabled backend pool_64 balance roundrobin server-template pool_64_ 10 0.0.0.0:0 check disabled backend pool_65 balance roundrobin server-template pool_65_ 10 0.0.0.0:0 check disabled backend pool_66 balance roundrobin server-template pool_66_ 10 0.0.0.0:0 check disabled backend pool_67 balance roundrobin server-template pool_67_ 10 0.0.0.0:0 check disabled backend pool_68 balance roundrobin server-template pool_68_ 10 0.0.0.0:0 check disabled backend pool_69 balance roundrobin server-template pool_69_ 10 0.0.0.0:0 check disabled backend pool_70 balance roundrobin server-template pool_70_ 10 0.0.0.0:0 check disabled backend pool_71 balance roundrobin server-template pool_71_ 10 0.0.0.0:0 check disabled backend pool_72 balance roundrobin server-template pool_72_ 10 0.0.0.0:0 check disabled backend pool_73 balance roundrobin server-template pool_73_ 10 0.0.0.0:0 check disabled backend pool_74 balance roundrobin server-template pool_74_ 10 0.0.0.0:0 check disabled backend pool_75 balance roundrobin server-template pool_75_ 10 0.0.0.0:0 check disabled backend pool_76 balance roundrobin server-template pool_76_ 10 0.0.0.0:0 check disabled backend pool_77 balance roundrobin server-template pool_77_ 10 0.0.0.0:0 check disabled backend pool_78 balance roundrobin server-template pool_78_ 10 0.0.0.0:0 check disabled backend pool_79 balance roundrobin server-template pool_79_ 10 0.0.0.0:0 check disabled backend pool_80 balance roundrobin server-template pool_80_ 10 0.0.0.0:0 check disabled backend pool_81 balance roundrobin server-template pool_81_ 10 0.0.0.0:0 check disabled backend pool_82 balance roundrobin server-template pool_82_ 10 0.0.0.0:0 check disabled backend pool_83 balance roundrobin server-template pool_83_ 10 0.0.0.0:0 check disabled backend pool_84 balance roundrobin server-template pool_84_ 10 0.0.0.0:0 check disabled backend pool_85 balance roundrobin server-template pool_85_ 10 0.0.0.0:0 check disabled backend pool_86 balance roundrobin server-template pool_86_ 10 0.0.0.0:0 check disabled backend pool_87 balance roundrobin server-template pool_87_ 10 0.0.0.0:0 check disabled backend pool_88 balance roundrobin server-template pool_88_ 10 0.0.0.0:0 check disabled backend pool_89 balance roundrobin server-template pool_89_ 10 0.0.0.0:0 check disabled backend pool_90 balance roundrobin server-template pool_90_ 10 0.0.0.0:0 check disabled backend pool_91 balance roundrobin server-template pool_91_ 10 0.0.0.0:0 check disabled backend pool_92 balance roundrobin server-template pool_92_ 10 0.0.0.0:0 check disabled backend pool_93 balance roundrobin server-template pool_93_ 10 0.0.0.0:0 check disabled backend pool_94 balance roundrobin server-template pool_94_ 10 0.0.0.0:0 check disabled backend pool_95 balance roundrobin server-template pool_95_ 10 0.0.0.0:0 check disabled backend pool_96 balance roundrobin server-template pool_96_ 10 0.0.0.0:0 check disabled backend pool_97 balance roundrobin server-template pool_97_ 10 0.0.0.0:0 check disabled backend pool_98 balance roundrobin server-template pool_98_ 10 0.0.0.0:0 check disabled backend pool_99 balance roundrobin server-template pool_99_ 10 0.0.0.0:0 check disabled backend pool_100 balance roundrobin server-template pool_100_ 10 0.0.0.0:0 check disabled