Last active
February 6, 2026 04:17
-
-
Save djdefi/e27dfaf923d5f8b55850e133802c5b8f to your computer and use it in GitHub Desktop.
BMW GHES 3.17.6 HAProxy remediation - complete templates + diff patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/etc/consul-templates/etc/haproxy/haproxy-cluster-proxy.cfg.ctmpl b/etc/consul-templates/etc/haproxy/haproxy-cluster-proxy.cfg.ctmpl | |
| index 46cfe73bd6..719e8af90f 100644 | |
| --- a/etc/consul-templates/etc/haproxy/haproxy-cluster-proxy.cfg.ctmpl | |
| +++ b/etc/consul-templates/etc/haproxy/haproxy-cluster-proxy.cfg.ctmpl | |
| @@ -25,7 +25,7 @@ global | |
| # Global maxconn is the sum of all the `listener` maxconn values, so that | |
| # one listener's backlog filling doesn't deny connections to another listener. | |
| # Increment accordingly as more services are added to this file. | |
| - maxconn {{ multiply 1024 51 | add 15000 }} | |
| + maxconn 104088 | |
| tune.bufsize 65536 | |
| tune.pipesize 262144 | |
| tune.ssl.maxrecord 1370 | |
| @@ -94,7 +94,7 @@ listen internal-api | |
| bind 127.0.0.1:1337 | |
| bind ::1:1337 v6only | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 8192 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -139,7 +139,7 @@ listen unicorn | |
| bind 127.0.0.1:4327 | |
| bind ::1:4327 | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 8192 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -161,7 +161,7 @@ listen gitauth | |
| bind 127.0.0.1:4328 | |
| bind ::1:4328 v6only | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -183,7 +183,7 @@ listen authzd | |
| bind 127.0.0.1:4231 | |
| bind ::1:4231 | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 2048 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -380,6 +380,7 @@ listen mssql | |
| bind ::1:1443 | |
| option tcplog | |
| log global | |
| + maxconn 8192 | |
| server {{ $configapply.mssql_master }} {{ $configapply.mssql_master }}:1433 | |
| @@ -532,7 +533,7 @@ listen spokesd | |
| bind 127.0.0.1:5010 | |
| bind ::1:5010 | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -666,6 +667,7 @@ listen aqueduct-lite | |
| bind 127.0.0.1:9096 | |
| bind ::1:9096 | |
| bind /data/hookshot/shared/sockets/aqueduct-lite.sock user hookshot group hookshot mode 700 | |
| + maxconn 4096 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "aqueduct-lite@" $dc }}{{ range service $service }} | |
| @@ -747,7 +749,7 @@ listen turboscan | |
| bind 127.0.0.1:8888 | |
| bind ::1:8888 | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| diff --git a/etc/consul-templates/etc/haproxy/haproxy-data-proxy.cfg.ctmpl b/etc/consul-templates/etc/haproxy/haproxy-data-proxy.cfg.ctmpl | |
| index 214bf97926..5de13b5d90 100644 | |
| --- a/etc/consul-templates/etc/haproxy/haproxy-data-proxy.cfg.ctmpl | |
| +++ b/etc/consul-templates/etc/haproxy/haproxy-data-proxy.cfg.ctmpl | |
| @@ -13,8 +13,9 @@ global | |
| # Global maxconn is the sum of all the `listener` maxconn values, so that | |
| # one listener's backlog filling doesn't deny connections to another listener. | |
| - # All listeners have a maxconn of 1024 except Redis which has a maxconn of 2048. | |
| - maxconn {{ multiply 1024 9 }} | |
| + # Breakdown: mysql: 4096, mysql_replica: 4096, redis: 8192, kafka-lite: 4096 | |
| + # Total: mysql(4096) + mysql_replica(4096) + redis(8192) + kafka-lite(4096) + buffer = 26624 | |
| + maxconn 26624 | |
| tune.bufsize 65536 | |
| tune.pipesize 262144 | |
| tune.ssl.maxrecord 1370 | |
| @@ -71,7 +72,7 @@ listen mysql | |
| bind /data/hookshot/shared/sockets/mysql-primary.sock user hookshot group hookshot mode 700 | |
| option tcplog | |
| log global | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| server {{ $configapply.mysql_master }} {{ $configapply.mysql_master }}:{{ $configapply.mysql_master_port }} check on-marked-down shutdown-sessions{{ if $configapply.is_external_mysql_enabled }} resolvers local-dns{{ end }} | |
| listen mysql_replica | |
| @@ -85,7 +86,7 @@ listen mysql_replica | |
| bind /data/hookshot/shared/sockets/mysql-replica.sock user hookshot group hookshot mode 700 | |
| option tcplog | |
| log global | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| {{- with $configapply.mysql_replicas }} | |
| {{- range $index, $mysql_replica := $configapply.mysql_replicas }} | |
| server {{ $mysql_replica }} {{ $mysql_replica }}:{{ index $configapply.mysql_replica_ports $index }} check on-marked-down shutdown-sessions{{ if $configapply.is_external_mysql_enabled }} resolvers local-dns{{ end }} | |
| @@ -99,7 +100,7 @@ listen redis | |
| bind /data/hookshot/shared/sockets/redis.sock user hookshot group hookshot mode 700 | |
| option tcplog | |
| log global | |
| - maxconn 2048 | |
| + maxconn 8192 | |
| {{ with $redis_master := $configapply.redis_master }} | |
| server {{ $redis_master}} {{ $redis_master }}:6379 check | |
| {{ end }} | |
| @@ -108,6 +109,7 @@ listen kafka-lite | |
| mode tcp | |
| bind 127.0.0.1:9093 | |
| bind ::1:9093 | |
| + maxconn 4096 | |
| {{- with $dc := $configapply.consul_primary_datacenter }} | |
| {{- range $datacenter, $webserver_dc_nodes := $configapply.webserver_nodes_by_datacenter }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/etc/consul-templates/etc/haproxy/haproxy-cluster-proxy.cfg.ctmpl b/etc/consul-templates/etc/haproxy/haproxy-cluster-proxy.cfg.ctmpl | |
| index 46cfe73bd6..719e8af90f 100644 | |
| --- a/etc/consul-templates/etc/haproxy/haproxy-cluster-proxy.cfg.ctmpl | |
| +++ b/etc/consul-templates/etc/haproxy/haproxy-cluster-proxy.cfg.ctmpl | |
| @@ -25,7 +25,7 @@ global | |
| # Global maxconn is the sum of all the `listener` maxconn values, so that | |
| # one listener's backlog filling doesn't deny connections to another listener. | |
| # Increment accordingly as more services are added to this file. | |
| - maxconn {{ multiply 1024 51 | add 15000 }} | |
| + maxconn 104088 | |
| tune.bufsize 65536 | |
| tune.pipesize 262144 | |
| tune.ssl.maxrecord 1370 | |
| @@ -94,7 +94,7 @@ listen internal-api | |
| bind 127.0.0.1:1337 | |
| bind ::1:1337 v6only | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 8192 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -139,7 +139,7 @@ listen unicorn | |
| bind 127.0.0.1:4327 | |
| bind ::1:4327 | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 8192 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -161,7 +161,7 @@ listen gitauth | |
| bind 127.0.0.1:4328 | |
| bind ::1:4328 v6only | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -183,7 +183,7 @@ listen authzd | |
| bind 127.0.0.1:4231 | |
| bind ::1:4231 | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 2048 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -380,6 +380,7 @@ listen mssql | |
| bind ::1:1443 | |
| option tcplog | |
| log global | |
| + maxconn 8192 | |
| server {{ $configapply.mssql_master }} {{ $configapply.mssql_master }}:1433 | |
| @@ -532,7 +533,7 @@ listen spokesd | |
| bind 127.0.0.1:5010 | |
| bind ::1:5010 | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| @@ -666,6 +667,7 @@ listen aqueduct-lite | |
| bind 127.0.0.1:9096 | |
| bind ::1:9096 | |
| bind /data/hookshot/shared/sockets/aqueduct-lite.sock user hookshot group hookshot mode 700 | |
| + maxconn 4096 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "aqueduct-lite@" $dc }}{{ range service $service }} | |
| @@ -747,7 +749,7 @@ listen turboscan | |
| bind 127.0.0.1:8888 | |
| bind ::1:8888 | |
| mode http | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| diff --git a/etc/consul-templates/etc/haproxy/haproxy-data-proxy.cfg.ctmpl b/etc/consul-templates/etc/haproxy/haproxy-data-proxy.cfg.ctmpl | |
| index 6908d69b40..61a358b5a9 100644 | |
| --- a/etc/consul-templates/etc/haproxy/haproxy-data-proxy.cfg.ctmpl | |
| +++ b/etc/consul-templates/etc/haproxy/haproxy-data-proxy.cfg.ctmpl | |
| @@ -14,7 +14,7 @@ global | |
| # Global maxconn is the sum of all the `listener` maxconn values, so that | |
| # one listener's backlog filling doesn't deny connections to another listener. | |
| # All listeners have a maxconn of 1024 except Redis which has a maxconn of 2048. | |
| - maxconn 20480 | |
| + maxconn 26624 | |
| tune.bufsize 65536 | |
| tune.pipesize 262144 | |
| tune.ssl.maxrecord 1370 | |
| @@ -71,7 +71,7 @@ listen mysql | |
| bind /data/hookshot/shared/sockets/mysql-primary.sock user hookshot group hookshot mode 700 | |
| option tcplog | |
| log global | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| server {{ $configapply.mysql_master }} {{ $configapply.mysql_master }}:{{ $configapply.mysql_master_port }} check on-marked-down shutdown-sessions{{ if $configapply.is_external_mysql_enabled }} resolvers local-dns{{ end }} | |
| listen mysql_replica | |
| @@ -85,7 +85,7 @@ listen mysql_replica | |
| bind /data/hookshot/shared/sockets/mysql-replica.sock user hookshot group hookshot mode 700 | |
| option tcplog | |
| log global | |
| - maxconn 1024 | |
| + maxconn 4096 | |
| {{- with $configapply.mysql_replicas }} | |
| {{- range $index, $mysql_replica := $configapply.mysql_replicas }} | |
| server {{ $mysql_replica }} {{ $mysql_replica }}:{{ index $configapply.mysql_replica_ports $index }} check on-marked-down shutdown-sessions{{ if $configapply.is_external_mysql_enabled }} resolvers local-dns{{ end }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {{- $configapply := file "/etc/github/configapply.json" | parseJSON }} | |
| {{- $haproxy_nbthread := 1 }} | |
| {{- with $configapply.haproxy_nbthread }}{{ $haproxy_nbthread = printf "%v" $configapply.haproxy_nbthread }}{{ end }} | |
| {{- $use_local_git_services := 0 }} | |
| {{- $use_local_internal_api_service := 0 }} | |
| {{- if $configapply.cluster_roles | contains "active-replica-server" }} | |
| {{- $use_local_git_services = 1 }} | |
| {{- end }} | |
| {{- if $configapply.cluster_roles | contains "cache-server" }} | |
| {{- $use_local_git_services = 1 }} | |
| {{- $use_local_internal_api_service = 1 }} | |
| {{- end }} | |
| global | |
| user haproxy | |
| group haproxy | |
| daemon | |
| nbthread {{ $haproxy_nbthread }} | |
| pidfile /var/run/haproxy/haproxy-cluster-proxy.pid | |
| log /dev/stdout local1 | |
| stats socket /var/run/haproxy/haproxy-cluster-proxy.sock mode 600 level admin | |
| # Global maxconn is the sum of all the `listener` maxconn values, so that | |
| # one listener's backlog filling doesn't deny connections to another listener. | |
| # Increment accordingly as more services are added to this file. | |
| maxconn 104088 | |
| tune.bufsize 65536 | |
| tune.pipesize 262144 | |
| tune.ssl.maxrecord 1370 | |
| spread-checks 3 | |
| hard-stop-after 600s | |
| h1-accept-payload-with-any-method | |
| defaults tcp | |
| maxconn 1024 | |
| mode tcp | |
| balance leastconn | |
| option redispatch | |
| # timeouts | |
| timeout client 120s | |
| timeout connect 10s | |
| timeout server 2m | |
| timeout queue 1m | |
| # 1 minute longer than MySQL's wait_timeout | |
| timeout tunnel 481m | |
| timeout http-keep-alive 10s | |
| timeout http-request 15s | |
| timeout tarpit 30s | |
| default-server init-addr last,libc,none | |
| {{- if $configapply.is_metrics_next_enabled }} | |
| frontend prometheus_stats | |
| bind *:8025 | |
| mode http | |
| http-request use-service prometheus-exporter if { path /metrics } | |
| no log | |
| {{- end }} | |
| listen grafana | |
| mode http | |
| bind 127.0.0.1:8002 | |
| bind ::1:8002 v6only | |
| maxconn 1024 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "grafana@" $dc }}{{ range $index, $element := service $service }} | |
| server {{ index .NodeMeta "hostname" }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ if ne $index 0 }} backup{{ end }}{{ end }}{{ end }} | |
| {{ if $configapply.is_enabled_service_github_ernicorn }} | |
| {{- $local_hostname := "localhost" }} | |
| {{- with node }}{{ $local_hostname = index .Node.Meta "hostname" }}{{ end }} | |
| listen ernicorn | |
| bind :8149 | |
| bind :::8149 v6only | |
| mode tcp | |
| maxconn 1024 | |
| option srvtcpka | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ range service "github-ernicorn" }}{{ if eq $local_hostname (index .NodeMeta "hostname") }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen internal-api | |
| bind 127.0.0.1:1337 | |
| bind ::1:1337 v6only | |
| mode http | |
| maxconn 8192 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| option forwardfor | |
| {{ if $use_local_internal_api_service }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "github-unicorn@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:1336{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "github-unicorn@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:1336{{ end }}{{ end }} | |
| {{ end }} | |
| listen gpgverify | |
| bind 127.0.0.1:8091 | |
| bind ::1:8091 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "gpgverify@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen unicorn | |
| bind 127.0.0.1:4327 | |
| bind ::1:4327 | |
| mode http | |
| maxconn 8192 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "github-unicorn@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "github-unicorn@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen gitauth | |
| bind 127.0.0.1:4328 | |
| bind ::1:4328 v6only | |
| mode http | |
| maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "github-gitauth@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "github-gitauth@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen authzd | |
| bind 127.0.0.1:4231 | |
| bind ::1:4231 | |
| mode http | |
| maxconn 2048 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "authzd@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen lfs-server | |
| bind 127.0.0.1:9105 | |
| bind ::1:9105 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "lfs-server@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "lfs-server@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen treelights | |
| bind 127.0.0.1:4241 | |
| bind ::1:4241 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host treelights | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "treelights@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen hookshot-go | |
| bind 127.0.0.1:4007 | |
| bind ::1:4007 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host hookshot-go | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "hookshot-go@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen dependency-graph-api | |
| bind 127.0.0.1:4005 | |
| bind ::1:4005 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host dependency-graph-api | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "dependency-graph-api@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen dependency-snapshots-api | |
| bind 127.0.0.1:4008 | |
| bind ::1:4008 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host dependency-snapshots-api | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "dependency-snapshots-api@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen dependabot-api | |
| bind 127.0.0.1:4006 | |
| bind ::1:4006 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host dependabot-api | |
| http-request set-header X-Forwarded-Proto https | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "dependabot-api@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen search | |
| bind 127.0.0.1:9201 | |
| bind ::1:9201 v6only | |
| mode http | |
| maxconn 1024 | |
| option httpchk | |
| http-check send meth GET uri / ver HTTP/1.1 hdr User-Agent GHE-Internal-HAProxy | |
| option http-keep-alive | |
| option srvtcpka | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $search_nodes := $configapply.search_nodes }} | |
| {{ range $index, $search_node := $search_nodes }} | |
| server {{ $search_node }} {{ $search_node }}:9200 check | |
| {{ end }}{{ end }} | |
| {{ range $datacenter, $search_dc_info := $configapply.search_nodes_by_datacenter }} | |
| listen search-{{ $datacenter }} | |
| bind 127.0.0.1:{{ $search_dc_info.port }} | |
| bind ::1:{{ $search_dc_info.port }} v6only | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ range $node_index, $search_node := $search_dc_info.nodes }} | |
| server {{ $search_node }} {{ $search_node }}:9200 check | |
| {{ end }} {{ end }} | |
| # mssql, mps and token can be used during Actions Storage Provider validation when OIDC auth selected. They are not always running but we always set up their proxy config | |
| listen mssql | |
| mode tcp | |
| bind 127.0.0.1:1443 | |
| bind ::1:1443 | |
| option tcplog | |
| log global | |
| maxconn 8192 | |
| server {{ $configapply.mssql_master }} {{ $configapply.mssql_master }}:1433 | |
| listen mps | |
| bind 127.0.0.1:10001 | |
| bind ::1:10001 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host 127.0.0.1 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "mps@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen token | |
| bind 127.0.0.1:10002 | |
| bind ::1:10002 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host 127.0.0.1 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "token@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen kredz | |
| bind 127.0.0.1:6011 | |
| bind ::1:6011 | |
| mode http | |
| maxconn 1024 | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host kredz | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "kredz@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen kredz-varz | |
| bind 127.0.0.1:6013 | |
| bind ::1:6013 | |
| mode http | |
| maxconn 1024 | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host kredz-varz | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "kredz-varz@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ if $configapply.is_actions_ever_enabled }} | |
| listen launch-receiver | |
| bind 127.0.0.1:5014 | |
| bind ::1:5014 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host launch-receiver | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "launch-receiver@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen launch-deployer | |
| bind 127.0.0.1:6012 proto h2 | |
| bind ::1:6012 proto h2 | |
| mode http | |
| maxconn 1024 | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host launch-deployer | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "launch-deployer@" $dc }}{{ range service $service }}{{ if in .Tags "grpc" }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }} proto h2{{ end }}{{ end }}{{ end }} | |
| listen launch-deployer-5002 | |
| bind 127.0.0.1:5002 | |
| bind ::1:5002 | |
| mode http | |
| maxconn 1024 | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host launch-deployer | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "launch-deployer@" $dc }}{{ range service $service }}{{ if in .Tags "http" }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:5001{{ end }}{{ end }}{{ end }} | |
| listen actions | |
| bind 127.0.0.1:10003 | |
| bind ::1:10003 | |
| mode http | |
| maxconn 15000 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host 127.0.0.1 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "actions@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen artifactcache | |
| bind 127.0.0.1:10007 | |
| bind ::1:10007 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host 127.0.0.1 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "artifactcache@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ if $configapply.is_spokesd_enabled }} | |
| listen spokesd | |
| bind 127.0.0.1:5010 | |
| bind ::1:5010 | |
| mode http | |
| maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host spokesd | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "spokesd@" $dc }}{{ range service $service }}{{ if in .Tags "twirp" }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "spokesd@" $dc }}{{ range service $service }}{{ if in .Tags "twirp" }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_spokesd_enabled }} | |
| listen spokes-sweeper | |
| bind 127.0.0.1:5020 | |
| bind ::1:5020 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host spokes-sweeper | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ range service "internal.spokes-sweeper" }}{{ if eq $configapply.node_uuid .NodeID }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_git_server }} | |
| {{ if $configapply.is_gitrpcd_enabled }} | |
| {{- $local_hostname := "localhost" }} | |
| {{- with node }}{{ $local_hostname = index .Node.Meta "hostname" }}{{ end }} | |
| listen gitrpcd | |
| bind :8743 | |
| bind :::8743 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host gitrpcd | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ range service "twirp.gitrpcd" }}{{ if eq $local_hostname (index .NodeMeta "hostname") }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen gitrpcd-git | |
| bind :9480 | |
| bind :::9480 | |
| mode tcp | |
| maxconn 1024 | |
| option srvtcpka | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ range service "git.gitrpcd" }}{{ if eq $local_hostname (index .NodeMeta "hostname") }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_git_server }} | |
| {{- $local_hostname := "localhost" }} | |
| {{- with node }}{{ $local_hostname = index .Node.Meta "hostname" }}{{ end }} | |
| listen governor | |
| bind :4486 | |
| bind :::4486 | |
| mode tcp | |
| maxconn 1024 | |
| option srvtcpka | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ range service "governor" }}{{ if eq $local_hostname (index .NodeMeta "hostname") }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_git_server }} | |
| {{- $local_hostname := "localhost" }} | |
| {{- with node }}{{ $local_hostname = index .Node.Meta "hostname" }}{{ end }} | |
| listen git-daemon | |
| bind :9000 | |
| bind :::9000 | |
| mode tcp | |
| maxconn 1024 | |
| option srvtcpka | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ range service "git-daemon" }}{{ if eq $local_hostname (index .NodeMeta "hostname") }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen kafka-lite-admin | |
| mode http | |
| bind 127.0.0.1:9094 | |
| bind ::1:9094 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "kafka-lite-admin@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen aqueduct-lite | |
| mode http | |
| bind 127.0.0.1:9096 | |
| bind ::1:9096 | |
| bind /data/hookshot/shared/sockets/aqueduct-lite.sock user hookshot group hookshot mode 700 | |
| maxconn 4096 | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "aqueduct-lite@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen stats | |
| bind 127.0.0.1:8789 | |
| bind ::1:8789 v6only | |
| mode http | |
| stats uri / | |
| {{ if $configapply.is_minio_enabled }} | |
| {{- $local_hostname := "localhost" }} | |
| {{- with node }}{{ $local_hostname = index .Node.Meta "hostname" }}{{ end }} | |
| listen minio | |
| bind :10004 | |
| bind :::10004 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| # http-request set-header Host 127.0.0.1 | |
| {{ range service "minio" }}{{ if eq $local_hostname (index .NodeMeta "hostname") }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| # This only has a single Minio server. | |
| listen minio_single_node | |
| bind 127.0.0.1:10005 | |
| bind ::1:10005 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| # http-request set-header Host 127.0.0.1 | |
| # `service` always returns services in lexicographic order, so using the first service should result in a consistent backend server so long as nodes are not added or removed from the cluster. | |
| {{- with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "minio@" $dc }} | |
| {{- with service $service }} | |
| {{- with index . 0 }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen turboghas | |
| bind 127.0.0.1:8866 | |
| bind ::1:8866 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host turboghas | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "turboghas@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ if $configapply.is_code_scanning_enabled }} | |
| listen turboscan | |
| bind 127.0.0.1:8888 | |
| bind ::1:8888 | |
| mode http | |
| maxconn 4096 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host turboscan | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "turboscan@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_packages_enabled }} | |
| listen packages | |
| bind 127.0.0.1:10012 | |
| bind ::1:10012 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "packages@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_packages_enabled }} | |
| listen packages-v2-registry-metadata | |
| bind 127.0.0.1:10013 | |
| bind ::1:10013 | |
| mode http | |
| maxconn 1024 | |
| option httpchk | |
| http-check send meth GET uri /health ver HTTP/1.0 hdr Host 127.0.0.1 hdr User-Agent GHE-Internal-HAProxy | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "packages-v2-registry-metadata@" $dc }}{{ range service $service }} | |
| server {{ .Node }} {{ .Address }}:{{ .Port }} check # Node: {{ index .NodeMeta "hostname" }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_packages_enabled }} | |
| listen packages-v2-container-registry | |
| bind 127.0.0.1:10014 | |
| bind ::1:10014 | |
| mode http | |
| maxconn 1024 | |
| option httpchk | |
| http-check send meth GET uri /health ver HTTP/1.0 hdr Host 127.0.0.1 hdr User-Agent GHE-Internal-HAProxy | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "packages-v2-container-registry@" $dc }}{{ range service $service }} | |
| server {{ .Node }} {{ .Address }}:{{ .Port }} check # Node: {{ index .NodeMeta "hostname" }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_packages_enabled }} | |
| listen packages-v2-container-registry-proxy | |
| bind 127.0.0.1:10015 | |
| bind ::1:10015 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "packages-v2-container-registry-proxy@" $dc }}{{ range service $service }} | |
| server {{ .Node }} {{ .Address }}:{{ .Port }} check # Node: {{ index .NodeMeta "hostname" }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen babeld-stats | |
| bind :3032 | |
| bind :::3032 | |
| mode tcp | |
| timeout tunnel 10m | |
| option srvtcpka | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "babeld-stats@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "babeld-stats@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen babeld-http | |
| bind :3033 | |
| bind :::3033 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host babeld | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "babeld-http@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "babeld-http@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen babeld-git | |
| bind :3034 accept-proxy | |
| bind :::3034 accept-proxy | |
| mode tcp | |
| timeout tunnel 10m | |
| option srvtcpka | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "babeld-git@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }} send-proxy{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "babeld-git@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }} send-proxy{{ end }}{{ end }} | |
| {{ end }} | |
| listen babeld-ssh | |
| bind :3035 accept-proxy | |
| bind :::3035 accept-proxy | |
| mode tcp | |
| timeout tunnel 10m | |
| option srvtcpka | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "babeld-ssh@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }} send-proxy{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "babeld-ssh@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }} send-proxy{{ end }}{{ end }} | |
| {{ end }} | |
| listen babeld2hydro | |
| bind :12345 | |
| bind :::12345 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host babeld | |
| {{ if $use_local_git_services }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "babeld2hydro@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "babeld2hydro@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| listen viewscreen | |
| bind :9394 | |
| bind :::9394 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "viewscreen@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen notebooks | |
| bind :9494 | |
| bind :::9494 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "notebooks@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen codeload | |
| bind :3050 | |
| bind :::3050 | |
| mode tcp | |
| timeout tunnel 10m | |
| option srvtcpka | |
| {{ if $configapply.cluster_roles | contains "active-replica-server" }} | |
| {{ with $dc := $configapply.nomad_datacenter }} | |
| {{- $service := print "codeload@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ else }} | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "codeload@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{- $local_hostname := "localhost" }} | |
| {{- with node }}{{ $local_hostname = index .Node.Meta "hostname" }}{{ end }} | |
| listen alambic | |
| bind :5115 | |
| bind :::5115 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host alambic | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ range service "alambic" }}{{ if eq $local_hostname (index .NodeMeta "hostname") }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen driftwood | |
| bind :5215 | |
| bind :::5215 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host driftwood | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "driftwood@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen postfix | |
| bind :25 | |
| bind :::25 | |
| mode tcp | |
| option smtpchk | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "postfix@" $dc }}{{ range $index, $element := service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }} send-proxy{{ if ne $index 0 }} backup{{ end }}{{ end }}{{ end }} | |
| {{ if $configapply.is_secret_scanning_enabled }} | |
| listen token-scanning-api | |
| bind 127.0.0.1:15000 | |
| bind ::1:15000 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host token-scanning-api | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "token-scanning-api@" $dc }}{{ range service $service }}{{ if in .Tags "twirp" }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_secret_scanning_enabled }} | |
| listen token-scanning-scans-api | |
| bind 127.0.0.1:15001 | |
| bind ::1:15001 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host token-scanning-scans-api | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "token-scanning-scans-api@" $dc }}{{ range service $service }}{{ if in .Tags "twirp" }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_chatops_slack_enabled }} | |
| listen slack | |
| bind 127.0.0.1:4001 | |
| bind ::1:4001 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "slack@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_chatops_msteams_enabled }} | |
| listen msteams | |
| bind 127.0.0.1:4012 | |
| bind ::1:4012 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "msteams@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| {{ end }} | |
| {{ if $configapply.is_nes_enabled }} | |
| listen nes-web | |
| bind 127.0.0.1:5555 | |
| bind ::1:5555 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host nes-web | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "nes-web@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen nes-grpc | |
| bind 127.0.0.1:5050 proto h2 | |
| bind ::1:5050 proto h2 | |
| mode http | |
| maxconn 1024 | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host nes-grpc | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "nes-grpc@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }} proto h2{{ end }}{{ end }} | |
| {{ end }} | |
| listen http2hydro | |
| bind 127.0.0.1:9095 | |
| bind ::1:9095 | |
| mode http | |
| option http-keep-alive | |
| option srvtcpka | |
| http-request set-header Host http2hydro | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ range service "http2hydro" }}{{ if eq $local_hostname (index .NodeMeta "hostname") }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| listen ghes-manage-gateway | |
| bind 127.0.0.1:9401 | |
| bind ::1:9401 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host ghes-manage-gateway | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| acl external_request req.hdr(X-Proxy-Header) -m found | |
| acl local_backend_down nbsrv(ghes-manage-gateway-local) eq 0 | |
| use_backend ghes-manage-gateway-regular if local_backend_down or external_request | |
| use_backend ghes-manage-gateway-local | |
| listen authnd | |
| bind 127.0.0.1:4672 | |
| bind ::1:4672 | |
| mode http | |
| maxconn 1024 | |
| option http-keep-alive | |
| option srvtcpka | |
| timeout http-keep-alive 3h | |
| timeout client 3h | |
| timeout server 3h | |
| timeout tunnel 3h | |
| http-request set-header Host authnd | |
| errorfile 500 /etc/haproxy/errors/github500.json.http | |
| errorfile 502 /etc/haproxy/errors/github502.json.http | |
| errorfile 503 /etc/haproxy/errors/github503.json.http | |
| errorfile 504 /etc/haproxy/errors/github504.json.http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "authnd@" $dc }}{{ range service $service }} | |
| server {{ .ID }} {{ index .NodeMeta "hostname" }}:{{ .Port }}{{ end }}{{ end }} | |
| backend ghes-manage-gateway-local | |
| mode http | |
| server localhost 127.0.0.1:9400 check | |
| backend ghes-manage-gateway-regular | |
| mode http | |
| {{ with $dc := key "ghe/cluster/primary-datacenter" }} | |
| {{- $service := print "ghes-manage-gateway@" $dc }}{{ range service $service }} | |
| {{ $is_cluster_delegate := index .NodeMeta "is_cluster_delegate" }} | |
| {{ if eq $is_cluster_delegate "true" }} | |
| server {{ .NodeAddress }} {{ index .NodeMeta "hostname" }}:{{ .Port }} check | |
| {{ else }} | |
| server {{ .NodeAddress }} {{ index .NodeMeta "hostname" }}:{{ .Port }} check backup | |
| {{ end }}{{ end }}{{ end }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {{- $configapply := file "/etc/github/configapply.json" | parseJSON }} | |
| {{- $haproxy_nbthread := 1 }} | |
| {{- with $configapply.haproxy_nbthread }}{{ $haproxy_nbthread = printf "%v" $configapply.haproxy_nbthread }}{{ end }} | |
| global | |
| user haproxy | |
| group haproxy | |
| daemon | |
| nbthread {{ $haproxy_nbthread }} | |
| pidfile /var/run/haproxy/haproxy-data-proxy.pid | |
| log /dev/stdout local1 | |
| stats socket /var/run/haproxy/haproxy-data-proxy.sock mode 600 level admin | |
| # Global maxconn is the sum of all the `listener` maxconn values, so that | |
| # one listener's backlog filling doesn't deny connections to another listener. | |
| # Breakdown: mysql(4096) + mysql_replica(4096) + redis(8192) + kafka-lite(4096) + dns_tcp(1024) + stats(1024) = 21504 + headroom = 26624 | |
| maxconn 26624 | |
| tune.bufsize 65536 | |
| tune.pipesize 262144 | |
| tune.ssl.maxrecord 1370 | |
| spread-checks 3 | |
| hard-stop-after 5s | |
| h1-accept-payload-with-any-method | |
| defaults tcp | |
| maxconn 1024 | |
| mode tcp | |
| balance leastconn | |
| option redispatch | |
| # timeouts | |
| timeout client 120s | |
| timeout connect 10s | |
| timeout server 2m | |
| timeout queue 1m | |
| # 1 minute longer than MySQL's wait_timeout | |
| timeout tunnel 481m | |
| timeout http-keep-alive 10s | |
| timeout http-request 15s | |
| timeout tarpit 30s | |
| default-server init-addr last,libc,none | |
| {{ if $configapply.is_external_mysql_enabled }} | |
| resolvers local-dns | |
| # By default HAProxy resolves DNS names only once at startup, but external MySQL instances' | |
| # hostnames can be backed by dynamic IPs that are refreshed on failover, for example. External | |
| # MySQL instances DNS hosts should be configured in /etc/resolv.conf, so pulling in all the hosts | |
| # from there will ensure that the we attempt to resolve to the correct IP address in the event | |
| # that the backing IP address has changed and HAProxy's initial resolution is out of date. | |
| parse-resolv-conf | |
| {{ end }} | |
| {{- if $configapply.is_metrics_next_enabled }} | |
| frontend prometheus_stats | |
| bind *:8026 | |
| mode http | |
| http-request use-service prometheus-exporter if { path /metrics } | |
| no log | |
| {{- end }} | |
| listen mysql | |
| mode tcp | |
| timeout client-fin 2s | |
| timeout check 1s | |
| timeout server-fin 2s | |
| bind 127.0.0.1:3307 | |
| bind ::1:3307 v6only | |
| bind /data/hookshot/shared/sockets/mysql-primary.sock user hookshot group hookshot mode 700 | |
| option tcplog | |
| log global | |
| maxconn 4096 | |
| server {{ $configapply.mysql_master }} {{ $configapply.mysql_master }}:{{ $configapply.mysql_master_port }} check on-marked-down shutdown-sessions{{ if $configapply.is_external_mysql_enabled }} resolvers local-dns{{ end }} | |
| listen mysql_replica | |
| mode tcp | |
| timeout client-fin 2s | |
| timeout check 1s | |
| timeout server-fin 2s | |
| bind 127.0.0.1:3308 | |
| bind ::1:3308 v6only | |
| bind /data/hookshot/shared/sockets/mysql-replica.sock user hookshot group hookshot mode 700 | |
| option tcplog | |
| log global | |
| maxconn 4096 | |
| {{- with $configapply.mysql_replicas }} | |
| {{- range $index, $mysql_replica := $configapply.mysql_replicas }} | |
| server {{ $mysql_replica }} {{ $mysql_replica }}:{{ index $configapply.mysql_replica_ports $index }} check on-marked-down shutdown-sessions{{ if $configapply.is_external_mysql_enabled }} resolvers local-dns{{ end }} | |
| {{- end }} | |
| {{- end }} | |
| listen redis | |
| mode tcp | |
| bind 127.0.0.1:6380 | |
| bind ::1:6380 v6only | |
| bind /data/hookshot/shared/sockets/redis.sock user hookshot group hookshot mode 700 | |
| option tcplog | |
| log global | |
| maxconn 8192 | |
| {{ with $redis_master := $configapply.redis_master }} | |
| server {{ $redis_master}} {{ $redis_master }}:6379 check | |
| {{ end }} | |
| listen kafka-lite | |
| mode tcp | |
| bind 127.0.0.1:9093 | |
| bind ::1:9093 | |
| maxconn 4096 | |
| {{- with $dc := $configapply.consul_primary_datacenter }} | |
| {{- range $datacenter, $webserver_dc_nodes := $configapply.webserver_nodes_by_datacenter }} | |
| {{- if eq $dc $datacenter }} | |
| {{- range $node_index, $webserver_node := $webserver_dc_nodes }} | |
| server {{ $webserver_node }} {{ $webserver_node }}:9092 | |
| {{- end }} | |
| {{- end }} | |
| {{- end }} | |
| {{- end }} | |
| listen stats | |
| bind 127.0.0.1:8889 | |
| bind ::1:8889 v6only | |
| mode http | |
| stats uri / |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment