cozystack/packages/apps/http-cache/templates/haproxy/configmap.yaml

{{- define "backendoptions" }}
{{- if eq . "http" }}
mode http
option forwardfor
balance uri whole
hash-type consistent
retry-on conn-failure 503
retries 2
option redispatch 1
default-server observe layer7 error-limit 10 on-error mark-down check
{{- else if eq . "tcp" }}
mode tcp
balance roundrobin
default-server observe layer4 error-limit 10 on-error mark-down check
{{- else if eq . "tcp-with-proxy" }}
mode tcp
balance roundrobin
default-server observe layer4 error-limit 10 on-error mark-down check send-proxy-v2
{{- else }}
{{- fail (printf "mode %s is not supported" .) }}
{{- end }}
{{- end }}

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ .Release.Name }}-haproxy
  labels:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
  haproxy.cfg: |
    defaults
        mode    tcp
        option  dontlognull
        timeout http-request    10s
        timeout queue           20s
        timeout connect         5s
        timeout client          5m
        timeout server          5m
        timeout tunnel          5m
        timeout http-keep-alive 10s
        timeout check           10s

    frontend http
        bind :::8080 v4v6
        mode http
        {{- if $.Values.whitelistHTTP }}
        {{- with $.Values.whitelist }}
        acl whitelist src{{ range . }} {{ . }}{{ end }}
        {{- end }}
        acl all src 0.0.0.0
        tcp-request content accept if whitelist
        tcp-request content reject
        {{- end }}
        tcp-request content set-dst-port int(80)

        # match real IP from cloudflare
        acl from_cf src -f /usr/local/etc/haproxy/CF_ips.lst
        acl cf_ip_hdr req.hdr(CF-Connecting-IP) -m found
        http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr

        # overwrite real IP header from anywhere else
        http-request set-header X-Forwarded-For %[src] if !from_cf

        default_backend http

    backend http
        mode http
        balance uri whole
        hash-type consistent
        retry-on conn-failure 503
        retries 2
        option redispatch 1
        default-server observe layer7 error-limit 10 on-error mark-down

        {{- range $i, $e := until (int $.Values.nginx.replicas) }}
        server cache{{ $i }} {{ $.Release.Name }}-nginx-cache-{{ $i }}:80 check
        {{- end }}
        {{- range $i, $e := $.Values.endpoints }} 
        server origin{{ $i }} {{ $e }} backup
        {{- end }}
  # https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/
  CF_ips.lst: |
    173.245.48.0/20
    103.21.244.0/22
    103.22.200.0/22
    103.31.4.0/22
    141.101.64.0/18
    108.162.192.0/18
    190.93.240.0/20
    188.114.96.0/20
    197.234.240.0/22
    198.41.128.0/17
    162.158.0.0/15
    104.16.0.0/13
    104.24.0.0/14
    172.64.0.0/13
    131.0.72.0/22
    2400:cb00::/32
    2606:4700::/32
    2803:f800::/32
    2405:b500::/32
    2405:8100::/32
    2a06:98c0::/29
    2c0f:f248::/32