Here's what I've come up with... Comments?
Note: 'FOO's have been added to obfuscate.
#--------------------------------------------------------------------------------
# Nginx Config - SSL Termination
# TODO: Consider patched stunnel
# /etc/nginx/sites-enabled/default
# HTTPS server used to passthough to HAProxy
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/FOO.crt;
ssl_certificate_key /etc/ssl/FOO.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
# HAProxy pass through
location / {
proxy_pass http://127.0.0.1/;
proxy_redirect http://127.0.0.1/ http://$host:$server_port/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Health Check gif
location = /1x1.gif {
empty_gif;
}
}
#--------------------------------------------------------------------------------
# HAProxy Config - Load Balancing
# /etc/haproxy/haproxy.cfg
global
daemon
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
spread-checks 50
defaults
balance roundrobin
log global
mode http
option httplog
option forwardfor
timeout client 5000
option http-server-close
retries 3
contimeout 5000
clitimeout 50000
srvtimeout 50000
stats enable
stats refresh 300s
stats uri /STATSFOOURL
stats auth USERNAMEFOO:PASSWORDFOO
frontend Incoming
bind :80
default_backend live_pool
########################################
# Map to alternate backends
# QA Matching on server name
acl qa hdr_dom(host) -i qa
use_backend qa_pool if qa
# Staging Matching on server name
acl staging hdr_dom(host) -i staging
use_backend staging_pool if staging
# Static Content Matching on URL path
acl static path_beg /FOOversionFOO/
use_backend varnish_cache if static
backend live_pool
server live-app-01:8080 live-app-01:8080 cookie a0 check inter 3000 rise 2 fall 3 maxconn 255
server live-app-01:8081 live-app-01:8081 cookie a1 check inter 3000 rise 2 fall 3 maxconn 255
# Healthcheck URL
option httpchk GET /areyoureadyeddie
# Haproxy status page
stats admin if TRUE
backend qa_pool
server qa-app:9090 qa-app:9090 cookie a0 check inter 3000 rise 2 fall 3 maxconn 255
server qa-app:9091 qa-app:9091 cookie a1 check inter 3000 rise 2 fall 3 maxconn 255
# Healthcheck URL
option httpchk GET /areyoureadyeddie
# Haproxy status page
stats admin if TRUE
backend staging_pool
server staging-app:9090 staging-app:9090 cookie a0 check inter 3000 rise 2 fall 3 maxconn 255
server staging-app:9091 staging-app:9091 cookie a1 check inter 3000 rise 2 fall 3 maxconn 255
# Healthcheck URL
option httpchk GET /areyoureadyeddie
# Haproxy status page
stats admin if TRUE
# Local varnish cache
backend thoughts_varnish_cache
server localhost localhost:6081 check inter 3s
option httpchk GET /FOO/cached/test.png
#--------------------------------------------------------------------------------
# Varnish Config - Caching (set your expires headers correctly and use versioned URLs)
# /etc/varnish/default.vcl
# Backend server
# TODO: get a director pool working
backend default {
.host = "live-app-01";
.port = "8080";
}
# Unset any cookies and autorization data for static links and icons, and fetch from cache
sub vcl_recv {
if (req.request == "GET" && req.url ~ "^/FOOversionFOO/") {
unset req.http.cookie;
unset req.http.Authorization;
return(lookup);
}
}
# Add some header hints to show varnish performance
sub vcl_deliver {
set resp.http.X-Served-By = server.hostname;
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
set resp.http.X-Cache-Hits = obj.hits;
} else {
set resp.http.X-Cache = "MISS";
}
return(deliver);
}