kaffa/haproxy-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
haproxy-mcp/conf/haproxy.cfg
kaffa 97af0b49e2 Update haproxy config and clean up domain mappings 
- Add X-Forwarded-For support for real client IP detection (BunnyCDN)
- Change MCP domain from mcp.inouter.com to haproxy.inouter.com
- Remove unused wildcard domains (bench, mcp, ssh)
- Add nocodb.inouter.com wildcard mapping
- Ignore runtime files (*.db, cdn-ips.lst) in .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 11:07:32 +09:00

540 lines
16 KiB
INI
Raw Permalink Blame History

global
log stdout format raw local0
maxconn 100000
# Performance tuning
nbthread 2
cpu-map auto:1/1-2 0-1
tune.ssl.default-dh-param 2048
tune.ssl.cachesize 100000
tune.ssl.lifetime 3600
tune.bufsize 32768
tune.maxrewrite 8192
tune.http.maxhdr 128
# SSL optimization
# ECDSA 우선 (RSA 대비 10배 빠름), AES-GCM 하드웨어 가속 활용
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options ssl-min-ver TLSv1.2
# Runtime API socket for dynamic updates
stats socket /var/run/haproxy/haproxy.sock mode 666 level admin expose-fd listeners
stats socket ipv4@*:9999 level admin
stats timeout 30s
# Server state persistence
server-state-file /var/lib/haproxy/servers.state
server-state-base /var/lib/haproxy/
defaults
log global
mode http
option httplog
option dontlognull
option http-keep-alive
option forwardfor
timeout connect 5s
timeout client 30s
timeout server 30s
timeout http-request 10s
timeout http-keep-alive 10s
# Load server state on startup
load-server-state-from-file global
# Stats & API Dashboard
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if TRUE
# HTTP Frontend - forward to backend (same as HTTPS)
frontend http_front
bind *:80
# -- Shared security config (keep in sync with http_front/https_front) --
# Send HTTP logs to CrowdSec
log 10.253.100.240:514 local0
# Set real client IP (CF-Connecting-IP if via Cloudflare, otherwise direct client IP)
http-request set-var(txn.real_ip) req.hdr(CF-Connecting-IP) if { req.hdr(CF-Connecting-IP) -m found }
http-request set-var(txn.real_ip) req.hdr(X-Forwarded-For),word(1,\,) if !{ var(txn.real_ip) -m found } { req.hdr(X-Forwarded-For) -m found }
http-request set-var(txn.real_ip) src unless { var(txn.real_ip) -m found }
http-request set-header X-Real-IP %[var(txn.real_ip)]
log-format "%[var(txn.real_ip)]:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq \"%r\""
# Per-IP concurrent connection limit (slowloris protection)
# Note: http_front and https_front have separate stick-tables, so the same
# IP is counted independently in each frontend (HTTP vs HTTPS).
# Per-IP concurrent connection limit (slowloris protection)
# Note: http_front and https_front have separate stick-tables, so the same
# IP is counted independently in each frontend (HTTP vs HTTPS).
stick-table type ip size 200k expire 5m store conn_cur
acl is_internal src 127.0.0.0/8 100.64.0.0/10
http-request track-sc0 hdr_ip(X-Real-IP) if !is_internal
http-request deny deny_status 429 if !is_internal { sc_conn_cur(0) gt 500 }
# -- End shared security config --
# 2-stage map-based routing for performance:
# Stage 1: Exact match with map_str (O(log n) - fast, uses ebtree)
use_backend %[req.hdr(host),lower,map_str(/usr/local/etc/haproxy/domains.map)] if { req.hdr(host),lower,map_str(/usr/local/etc/haproxy/domains.map) -m found }
# Stage 2: Wildcard fallback with map_dom (O(n) - slower, but only for wildcards)
use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/wildcards.map)] if { req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/wildcards.map) -m found }
default_backend default_backend
# HTTPS Frontend
frontend https_front
bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
bind quic4@:443 ssl crt /etc/haproxy/certs/ alpn h3
http-response set-header alt-svc "h3=\":443\"; ma=86400"
# -- Shared security config (keep in sync with http_front/https_front) --
# Send HTTP logs to CrowdSec
log 10.253.100.240:514 local0
# Set real client IP (CF-Connecting-IP if via Cloudflare, otherwise direct client IP)
http-request set-var(txn.real_ip) req.hdr(CF-Connecting-IP) if { req.hdr(CF-Connecting-IP) -m found }
http-request set-var(txn.real_ip) req.hdr(X-Forwarded-For),word(1,\,) if !{ var(txn.real_ip) -m found } { req.hdr(X-Forwarded-For) -m found }
http-request set-var(txn.real_ip) src unless { var(txn.real_ip) -m found }
http-request set-header X-Real-IP %[var(txn.real_ip)]
log-format "%[var(txn.real_ip)]:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq \"%r\""
# Per-IP concurrent connection limit (slowloris protection)
# Note: http_front and https_front have separate stick-tables, so the same
# IP is counted independently in each frontend (HTTP vs HTTPS).
stick-table type ip size 200k expire 5m store conn_cur
acl is_internal src 127.0.0.0/8 100.64.0.0/10
http-request track-sc0 hdr_ip(X-Real-IP) if !is_internal
http-request deny deny_status 429 if !is_internal { sc_conn_cur(0) gt 500 }
# -- End shared security config --
# MCP authentication (Bearer Token or Tailscale)
acl is_mcp hdr(host) -i haproxy.inouter.com
acl valid_token req.hdr(Authorization) -m str "Bearer dcb7963ab3ef705f6b780818f78942a100efa3b55e3d2f99c4560b65da64c426"
acl is_tailscale src 100.64.0.0/10
http-request deny deny_status 401 if is_mcp !valid_token !is_tailscale
# 2-stage map-based routing for performance:
# Stage 1: Exact match with map_str (O(log n) - fast, uses ebtree)
use_backend %[req.hdr(host),lower,map_str(/usr/local/etc/haproxy/domains.map)] if { req.hdr(host),lower,map_str(/usr/local/etc/haproxy/domains.map) -m found }
# Stage 2: Wildcard fallback with map_dom (O(n) - slower, but only for wildcards)
use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/wildcards.map)] if { req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/wildcards.map) -m found }
default_backend default_backend
# Default backend
backend default_backend
balance roundrobin
http-request deny deny_status 503
# Pool backends (동적 도메인용)
backend pool_1
balance roundrobin
server-template pool_1_ 10 0.0.0.0:0 check disabled
backend pool_2
balance roundrobin
server-template pool_2_ 10 0.0.0.0:0 check disabled
backend pool_3
balance roundrobin
server-template pool_3_ 10 0.0.0.0:0 check disabled
backend pool_4
balance roundrobin
server-template pool_4_ 10 0.0.0.0:0 check disabled
backend pool_5
balance roundrobin
server-template pool_5_ 10 0.0.0.0:0 check disabled
backend pool_6
balance roundrobin
server-template pool_6_ 10 0.0.0.0:0 check disabled
backend pool_7
balance roundrobin
server-template pool_7_ 10 0.0.0.0:0 check disabled
backend pool_8
balance roundrobin
server-template pool_8_ 10 0.0.0.0:0 check disabled
backend pool_9
balance roundrobin
server-template pool_9_ 10 0.0.0.0:0 check disabled
backend pool_10
balance roundrobin
server-template pool_10_ 10 0.0.0.0:0 check disabled
# ACME Backend (for certbot)
backend acme_backend
server acme 127.0.0.1:8080
backend pool_11
balance roundrobin
server-template pool_11_ 10 0.0.0.0:0 check disabled
backend pool_12
balance roundrobin
server-template pool_12_ 10 0.0.0.0:0 check disabled
backend pool_13
balance roundrobin
server-template pool_13_ 10 0.0.0.0:0 check disabled
backend pool_14
balance roundrobin
server-template pool_14_ 10 0.0.0.0:0 check disabled
backend pool_15
balance roundrobin
server-template pool_15_ 10 0.0.0.0:0 check disabled
backend pool_16
balance roundrobin
server-template pool_16_ 10 0.0.0.0:0 check disabled
backend pool_17
balance roundrobin
server-template pool_17_ 10 0.0.0.0:0 check disabled
backend pool_18
balance roundrobin
server-template pool_18_ 10 0.0.0.0:0 check disabled
backend pool_19
balance roundrobin
server-template pool_19_ 10 0.0.0.0:0 check disabled
backend pool_20
balance roundrobin
server-template pool_20_ 10 0.0.0.0:0 check disabled
backend pool_21
balance roundrobin
server-template pool_21_ 10 0.0.0.0:0 check disabled
backend pool_22
balance roundrobin
server-template pool_22_ 10 0.0.0.0:0 check disabled
backend pool_23
balance roundrobin
server-template pool_23_ 10 0.0.0.0:0 check disabled
backend pool_24
balance roundrobin
server-template pool_24_ 10 0.0.0.0:0 check disabled
backend pool_25
balance roundrobin
server-template pool_25_ 10 0.0.0.0:0 check disabled
backend pool_26
balance roundrobin
server-template pool_26_ 10 0.0.0.0:0 check disabled
backend pool_27
balance roundrobin
server-template pool_27_ 10 0.0.0.0:0 check disabled
backend pool_28
balance roundrobin
server-template pool_28_ 10 0.0.0.0:0 check disabled
backend pool_29
balance roundrobin
server-template pool_29_ 10 0.0.0.0:0 check disabled
backend pool_30
balance roundrobin
server-template pool_30_ 10 0.0.0.0:0 check disabled
backend pool_31
balance roundrobin
server-template pool_31_ 10 0.0.0.0:0 check disabled
backend pool_32
balance roundrobin
server-template pool_32_ 10 0.0.0.0:0 check disabled
backend pool_33
balance roundrobin
server-template pool_33_ 10 0.0.0.0:0 check disabled
backend pool_34
balance roundrobin
server-template pool_34_ 10 0.0.0.0:0 check disabled
backend pool_35
balance roundrobin
server-template pool_35_ 10 0.0.0.0:0 check disabled
backend pool_36
balance roundrobin
server-template pool_36_ 10 0.0.0.0:0 check disabled
backend pool_37
balance roundrobin
server-template pool_37_ 10 0.0.0.0:0 check disabled
backend pool_38
balance roundrobin
server-template pool_38_ 10 0.0.0.0:0 check disabled
backend pool_39
balance roundrobin
server-template pool_39_ 10 0.0.0.0:0 check disabled
backend pool_40
balance roundrobin
server-template pool_40_ 10 0.0.0.0:0 check disabled
backend pool_41
balance roundrobin
server-template pool_41_ 10 0.0.0.0:0 check disabled
backend pool_42
balance roundrobin
server-template pool_42_ 10 0.0.0.0:0 check disabled
backend pool_43
balance roundrobin
server-template pool_43_ 10 0.0.0.0:0 check disabled
backend pool_44
balance roundrobin
server-template pool_44_ 10 0.0.0.0:0 check disabled
backend pool_45
balance roundrobin
server-template pool_45_ 10 0.0.0.0:0 check disabled
backend pool_46
balance roundrobin
server-template pool_46_ 10 0.0.0.0:0 check disabled
backend pool_47
balance roundrobin
server-template pool_47_ 10 0.0.0.0:0 check disabled
backend pool_48
balance roundrobin
server-template pool_48_ 10 0.0.0.0:0 check disabled
backend pool_49
balance roundrobin
server-template pool_49_ 10 0.0.0.0:0 check disabled
backend pool_50
balance roundrobin
server-template pool_50_ 10 0.0.0.0:0 check disabled
backend pool_51
balance roundrobin
server-template pool_51_ 10 0.0.0.0:0 check disabled
backend pool_52
balance roundrobin
server-template pool_52_ 10 0.0.0.0:0 check disabled
backend pool_53
balance roundrobin
server-template pool_53_ 10 0.0.0.0:0 check disabled
backend pool_54
balance roundrobin
server-template pool_54_ 10 0.0.0.0:0 check disabled
backend pool_55
balance roundrobin
server-template pool_55_ 10 0.0.0.0:0 check disabled
backend pool_56
balance roundrobin
server-template pool_56_ 10 0.0.0.0:0 check disabled
backend pool_57
balance roundrobin
server-template pool_57_ 10 0.0.0.0:0 check disabled
backend pool_58
balance roundrobin
server-template pool_58_ 10 0.0.0.0:0 check disabled
backend pool_59
balance roundrobin
server-template pool_59_ 10 0.0.0.0:0 check disabled
backend pool_60
balance roundrobin
server-template pool_60_ 10 0.0.0.0:0 check disabled
backend pool_61
balance roundrobin
server-template pool_61_ 10 0.0.0.0:0 check disabled
backend pool_62
balance roundrobin
server-template pool_62_ 10 0.0.0.0:0 check disabled
backend pool_63
balance roundrobin
server-template pool_63_ 10 0.0.0.0:0 check disabled
backend pool_64
balance roundrobin
server-template pool_64_ 10 0.0.0.0:0 check disabled
backend pool_65
balance roundrobin
server-template pool_65_ 10 0.0.0.0:0 check disabled
backend pool_66
balance roundrobin
server-template pool_66_ 10 0.0.0.0:0 check disabled
backend pool_67
balance roundrobin
server-template pool_67_ 10 0.0.0.0:0 check disabled
backend pool_68
balance roundrobin
server-template pool_68_ 10 0.0.0.0:0 check disabled
backend pool_69
balance roundrobin
server-template pool_69_ 10 0.0.0.0:0 check disabled
backend pool_70
balance roundrobin
server-template pool_70_ 10 0.0.0.0:0 check disabled
backend pool_71
balance roundrobin
server-template pool_71_ 10 0.0.0.0:0 check disabled
backend pool_72
balance roundrobin
server-template pool_72_ 10 0.0.0.0:0 check disabled
backend pool_73
balance roundrobin
server-template pool_73_ 10 0.0.0.0:0 check disabled
backend pool_74
balance roundrobin
server-template pool_74_ 10 0.0.0.0:0 check disabled
backend pool_75
balance roundrobin
server-template pool_75_ 10 0.0.0.0:0 check disabled
backend pool_76
balance roundrobin
server-template pool_76_ 10 0.0.0.0:0 check disabled
backend pool_77
balance roundrobin
server-template pool_77_ 10 0.0.0.0:0 check disabled
backend pool_78
balance roundrobin
server-template pool_78_ 10 0.0.0.0:0 check disabled
backend pool_79
balance roundrobin
server-template pool_79_ 10 0.0.0.0:0 check disabled
backend pool_80
balance roundrobin
server-template pool_80_ 10 0.0.0.0:0 check disabled
backend pool_81
balance roundrobin
server-template pool_81_ 10 0.0.0.0:0 check disabled
backend pool_82
balance roundrobin
server-template pool_82_ 10 0.0.0.0:0 check disabled
backend pool_83
balance roundrobin
server-template pool_83_ 10 0.0.0.0:0 check disabled
backend pool_84
balance roundrobin
server-template pool_84_ 10 0.0.0.0:0 check disabled
backend pool_85
balance roundrobin
server-template pool_85_ 10 0.0.0.0:0 check disabled
backend pool_86
balance roundrobin
server-template pool_86_ 10 0.0.0.0:0 check disabled
backend pool_87
balance roundrobin
server-template pool_87_ 10 0.0.0.0:0 check disabled
backend pool_88
balance roundrobin
server-template pool_88_ 10 0.0.0.0:0 check disabled
backend pool_89
balance roundrobin
server-template pool_89_ 10 0.0.0.0:0 check disabled
backend pool_90
balance roundrobin
server-template pool_90_ 10 0.0.0.0:0 check disabled
backend pool_91
balance roundrobin
server-template pool_91_ 10 0.0.0.0:0 check disabled
backend pool_92
balance roundrobin
server-template pool_92_ 10 0.0.0.0:0 check disabled
backend pool_93
balance roundrobin
server-template pool_93_ 10 0.0.0.0:0 check disabled
backend pool_94
balance roundrobin
server-template pool_94_ 10 0.0.0.0:0 check disabled
backend pool_95
balance roundrobin
server-template pool_95_ 10 0.0.0.0:0 check disabled
backend pool_96
balance roundrobin
server-template pool_96_ 10 0.0.0.0:0 check disabled
backend pool_97
balance roundrobin
server-template pool_97_ 10 0.0.0.0:0 check disabled
backend pool_98
balance roundrobin
server-template pool_98_ 10 0.0.0.0:0 check disabled
backend pool_99
balance roundrobin
server-template pool_99_ 10 0.0.0.0:0 check disabled
backend pool_100
balance roundrobin
server-template pool_100_ 10 0.0.0.0:0 check disabled
Reference in New Issue View Git Blame Copy Permalink