diff options
Diffstat (limited to 'docs/configuration/loadbalancing')
| -rw-r--r-- | docs/configuration/loadbalancing/reverse-proxy.rst | 78 | 
1 files changed, 56 insertions, 22 deletions
| diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst index 970e084e..9cb49a7f 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -45,6 +45,11 @@ Service    Set SSL certificate <name> for service <name> +.. cfgcmd:: set load-balancing reverse-proxy service <name> +  http-response-headers <header-name> value <header-value> + +  Set custom HTTP headers to be included in all responses +  Rules  ^^^^^ @@ -113,11 +118,6 @@ Backend    Configure backend `<name>` mode TCP or HTTP -.. cfgcmd:: set load-balancing reverse-proxy backend <name> parameters -   http-check - -  Enable layer 7 HTTP health check -  .. cfgcmd:: set load-balancing reverse-proxy backend <name> server     <name> address <x.x.x.x> @@ -155,9 +155,40 @@ Backend    Configure requests to the backend server to use SSL encryption without    validating server certificate +.. cfgcmd:: set load-balancing reverse-proxy backend <name> +  http-response-headers <header-name> value <header-value> + +  Set custom HTTP headers to be included in all responses using the backend + + +Global +------- + +Global parameters + +.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections +   <num> + +  Limit maximum number of connections + +.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers +   <ciphers> + +  Limit allowed cipher algorithms used during SSL/TLS handshake + +.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min +   <version> + +  Specify the minimum required TLS version 1.2 or 1.3 + + +Health checks +============= + + +HTTP checks +----------- -HTTP health check -^^^^^^^^^^^^^^^^^  For web application providing information about their state HTTP health  checks can be used to determine their availability. @@ -180,31 +211,32 @@ checks can be used to determine their availability.     expect <condition>    Sets the expected result condition for considering a server healthy. +    Some possible examples are:     * ``status 200`` Expecting a 200 response code     * ``status 200-399`` Expecting a non-failure response code     * ``string success`` Expecting the string `success` in the response body -Global -------- +TCP checks +---------- -Global parameters +Health checks can also be configured for TCP mode backends. You can configure +protocol aware checks for a range of Layer 7 protocols: -.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections -   <num> - -  Limit maximum number of connections +.. cfgcmd:: set load-balancing reverse-proxy backend <name> health-check <protocol> -.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers -   <ciphers> +  Available health check protocols: +   * ``ldap`` LDAP protocol check. +   * ``redis`` Redis protocol check. +   * ``mysql`` MySQL protocol check. +   * ``pgsql`` PostgreSQL protocol check. +   * ``smtp`` SMTP protocol check. -  Limit allowed cipher algorithms used during SSL/TLS handshake - -.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min -   <version> - -  Specify the minimum required TLS version 1.2 or 1.3 +.. note:: If you specify a server to be checked but do not configure a +   protocol, a basic TCP health check will be attempted. A server shall be +   deemed online if it responses to a connection attempt with a valid +   ``SYN/ACK`` packet.  Redirect HTTP to HTTPS @@ -291,6 +323,7 @@ HTTPS.  The ``https`` service listens on port 443 with backend ``bk-default`` to  handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination. +HSTS header is set with a 1-year expiry, to tell browsers to always use SSL for site.  Rule 10 matches requests with the exact URL path ``/.well-known/xxx``  and redirects to location ``/certs/``. @@ -313,6 +346,7 @@ connection limit of 4000 and a minimum TLS version of 1.3.      set load-balancing reverse-proxy service https mode 'http'      set load-balancing reverse-proxy service https port '443'      set load-balancing reverse-proxy service https ssl certificate 'cert' +    set load-balancing reverse-proxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000'      set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx'      set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/' | 
