global # Drop resource limit checks to mitigate https://issues.redhat.com/browse/OCPBUGS-21803 in HAProxy 2.6. no strict-limits maxconn 50000 nbthread 4 daemon ca-base /etc/ssl crt-base /etc/ssl # TODO: Check if we can get reload to be faster by saving server state. # server-state-file /var/lib/haproxy/run/haproxy.state stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin expose-fd listeners stats timeout 2m # Increase the default request size to be comparable to modern cloud load balancers (ALB: 64kb), affects # total memory use when large numbers of connections are open. # In OCP 4.8, this value is adjustable via the IngressController API. # Cluster administrators are still encouraged to use the default values provided below. tune.maxrewrite 8192 tune.bufsize 32768 # Configure the TLS versions we support ssl-default-bind-options ssl-min-ver TLSv1.2 # The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS, # or the user can provide one using the ROUTER_CIPHERS environment variable. # By default when a cipher set is not provided, intermediate is used. # user provided list of ciphers (Colon separated list as seen above) # the env default is not used here since we can't get here with empty ROUTER_CIPHERS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 defaults maxconn 50000 # To configure custom default errors, you can either uncomment the # line below (server ... 127.0.0.1:8080) and point it to your custom # backend service or alternatively, you can send a custom 503 or 404 error. # # server openshift_backend 127.0.0.1:8080 errorfile 503 /var/lib/haproxy/conf/error-page-503.http errorfile 404 /var/lib/haproxy/conf/error-page-404.http timeout connect 5s timeout client 30s timeout client-fin 1s timeout server 30s timeout server-fin 1s timeout http-request 10s timeout http-keep-alive 300s # Long timeout for WebSocket connections. timeout tunnel 1h frontend public bind :80 mode http option idle-close-on-response tcp-request inspect-delay 5s tcp-request content accept if HTTP monitor-uri /_______internal_router_healthz # Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers) http-request deny if { hdr_len(content-length) 0 } # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) http-request del-header Proxy # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase # before matching, or any requests containing uppercase characters will never match. http-request set-header Host %[req.hdr(Host),lower] # check if we need to redirect/force using https. acl secure_redirect base,map_reg_int(/var/lib/haproxy/conf/os_route_http_redirect.map) -m bool redirect scheme https if secure_redirect use_backend %[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)] default_backend openshift_default # public ssl accepts all connections and isn't checking certificates yet certificates to use will be # determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend # that terminates encryption in this router (edge) frontend public_ssl bind :443 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend # for the SNI case, we also need to compare it in case-insensitive mode (by converting it to lowercase) as RFC 4343 says acl sni req.ssl_sni -m found acl sni_passthrough req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found use_backend %[req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough # if the route is SNI and NOT passthrough enter the termination flow use_backend be_sni if sni # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it # will not be able to match a cert to an SNI host default_backend be_no_sni ########################################################################## # TLS SNI # # When using SNI we can terminate encryption with custom certificates. # Certs will be stored in a directory and will be matched with the SNI host header # which must exist in the CN of the certificate. Certificates must be concatenated # as a single file (handled by the plugin writer) per the haproxy documentation. # # Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted # traffic ########################################################################## backend be_sni server fe_sni unix@/var/lib/haproxy/run/haproxy-sni.sock weight 1 send-proxy frontend fe_sni # terminate ssl on edge bind unix@/var/lib/haproxy/run/haproxy-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy no-alpn mode http option idle-close-on-response # Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers) http-request deny if { hdr_len(content-length) 0 } # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) http-request del-header Proxy # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase # before matching, or any requests containing uppercase characters will never match. http-request set-header Host %[req.hdr(Host),lower] # map to backend # Search from most specific to general path (host case). # Note: If no match, haproxy uses the default_backend, no other # use_backend directives below this will be processed. use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_reencrypt_be.map)] default_backend openshift_default ########################################################################## # END TLS SNI ########################################################################## ########################################################################## # TLS NO SNI # # When we don't have SNI the only thing we can try to do is terminate the encryption # using our wild card certificate. Once that is complete we can either re-encrypt # the traffic or pass it on to the backends ########################################################################## # backend for when sni does not exist, or ssl term needs to happen on the edge backend be_no_sni server fe_no_sni unix@/var/lib/haproxy/run/haproxy-no-sni.sock weight 1 send-proxy frontend fe_no_sni # terminate ssl on edge bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem accept-proxy no-alpn mode http option idle-close-on-response # Mitigate CVE-2023-40225 (Proxy forwards malformed empty Content-Length headers) http-request deny if { hdr_len(content-length) 0 } # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) http-request del-header Proxy # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase # before matching, or any requests containing uppercase characters will never match. http-request set-header Host %[req.hdr(Host),lower] # map to backend # Search from most specific to general path (host case). # Note: If no match, haproxy uses the default_backend, no other # use_backend directives below this will be processed. use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_reencrypt_be.map)] default_backend openshift_default ########################################################################## # END TLS NO SNI ########################################################################## backend openshift_default mode http option forwardfor #option http-keep-alive option http-pretend-keepalive ##-------------- app level backends ---------------- # Secure backend, pass through backend be_tcp:openshift-authentication:oauth-openshift balance source hash-type consistent timeout check 5000ms server pod:oauth-openshift-6fccd5ccc-lxq75:oauth-openshift:https:10.128.0.80:6443 10.128.0.80:6443 weight 1 check inter 5000ms server pod:oauth-openshift-6fccd5ccc-txx8d:oauth-openshift:https:10.129.0.71:6443 10.129.0.71:6443 weight 1 check inter 5000ms server pod:oauth-openshift-6fccd5ccc-khqd5:oauth-openshift:https:10.130.0.15:6443 10.130.0.15:6443 weight 1 check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openshift-console:console mode http option redispatch option forwardfor balance random timeout server 5m timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 1e2670d92730b515ce3a1bb65da45062 insert indirect nocache httponly secure attr SameSite=None server pod:console-69f8677c95-z9d9d:console:https:10.128.0.102:8443 10.128.0.102:8443 cookie 7fecc6d4786c9aa57ffb742c809fe63f weight 1 ssl verifyhost console.openshift-console.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms server pod:console-69f8677c95-9ncnx:console:https:10.129.0.91:8443 10.129.0.91:8443 cookie db25e73968c432abc8a27c52e614bb46 weight 1 ssl verifyhost console.openshift-console.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_edge_http:openshift-console:downloads mode http option redispatch option forwardfor balance random timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie a663438294fbd72a8e16964e97c8ecde insert indirect nocache httponly secure attr SameSite=None server pod:downloads-65bb9777fc-bkmsm:downloads:http:10.128.0.75:8080 10.128.0.75:8080 cookie 62d0c760f2f29f202d5b64041cc52728 weight 1 check inter 5000ms server pod:downloads-65bb9777fc-66jxg:downloads:http:10.129.0.66:8080 10.129.0.66:8080 cookie 2c5314d7daa3142b3a0cf254ea7c6e28 weight 1 check inter 5000ms # Secure backend, pass through backend be_tcp:openshift-ingress-canary:canary balance roundrobin hash-type consistent timeout check 5000ms server pod:ingress-canary-rr7vn:ingress-canary:8443-tcp:10.128.0.53:8443 10.128.0.53:8443 weight 1 check inter 5000ms server pod:ingress-canary-ts25n:ingress-canary:8443-tcp:10.129.0.42:8443 10.129.0.42:8443 weight 1 check inter 5000ms server pod:ingress-canary-6xnjz:ingress-canary:8443-tcp:10.130.0.8:8443 10.130.0.8:8443 weight 1 check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openshift-monitoring:alertmanager-main mode http option redispatch option forwardfor balance random timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 4e2f052a85d89824d1855ef94e095b2b insert indirect nocache httponly secure attr SameSite=None server pod:alertmanager-main-1:alertmanager-main:web:10.129.0.76:9095 10.129.0.76:9095 cookie 4df7eb7ce32c0d75b51297f91f951264 weight 1 ssl verifyhost alertmanager-main.openshift-monitoring.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms server pod:alertmanager-main-0:alertmanager-main:web:10.130.0.17:9095 10.130.0.17:9095 cookie 03963d358f47cebe2a1568715e92e86b weight 1 ssl verifyhost alertmanager-main.openshift-monitoring.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openshift-monitoring:prometheus-k8s mode http option redispatch option forwardfor balance random timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 97f6663f1252f61343f526ad937cfc1a insert indirect nocache httponly secure attr SameSite=None server pod:prometheus-k8s-1:prometheus-k8s:web:10.129.0.78:9091 10.129.0.78:9091 cookie 70d3c78e0061f530c94acd911e4f7e3f weight 1 ssl verifyhost prometheus-k8s.openshift-monitoring.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms server pod:prometheus-k8s-0:prometheus-k8s:web:10.130.0.19:9091 10.130.0.19:9091 cookie 913bbc5c6561149d1e5a272d29306167 weight 1 ssl verifyhost prometheus-k8s.openshift-monitoring.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openshift-monitoring:prometheus-k8s-federate mode http option redispatch option forwardfor balance random timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 55cbf826fb5b0c929ec0c03819d877e5 insert indirect nocache httponly secure attr SameSite=None server pod:prometheus-k8s-1:prometheus-k8s:web:10.129.0.78:9091 10.129.0.78:9091 cookie 70d3c78e0061f530c94acd911e4f7e3f weight 1 ssl verifyhost prometheus-k8s.openshift-monitoring.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms server pod:prometheus-k8s-0:prometheus-k8s:web:10.130.0.19:9091 10.130.0.19:9091 cookie 913bbc5c6561149d1e5a272d29306167 weight 1 ssl verifyhost prometheus-k8s.openshift-monitoring.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openshift-monitoring:thanos-querier mode http option redispatch option forwardfor balance random timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie ee4d5f50aeaffc63a5a5fc30a3072a27 insert indirect nocache httponly secure attr SameSite=None server pod:thanos-querier-7f646dd4d8-v72dv:thanos-querier:web:10.129.0.77:9091 10.129.0.77:9091 cookie 901c5cb010b290dd0fe25b8990516f2c weight 1 ssl verifyhost thanos-querier.openshift-monitoring.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms server pod:thanos-querier-7f646dd4d8-qxd8w:thanos-querier:web:10.130.0.18:9091 10.130.0.18:9091 cookie 8252f214a37561d4a9a11b15d0ded812 weight 1 ssl verifyhost thanos-querier.openshift-monitoring.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:aodh-public mode http option redispatch option forwardfor balance random timeout server 60s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie a15b0e108dee5709674baee559a4752c insert indirect nocache httponly secure attr SameSite=None server pod:aodh-0:aodh-public:aodh-public:10.128.0.180:8042 10.128.0.180:8042 cookie f049ed7a3ec21d32d4bfbbcb6321f9b2 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:aodh-public.pem # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:cinder-public mode http option redispatch option forwardfor balance random timeout server 60s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 33e2d45401feb6ecb7f87041ac073655 insert indirect nocache httponly secure attr SameSite=None server pod:cinder-b5802-api-2:cinder-public:cinder-public:10.128.0.164:8776 10.128.0.164:8776 cookie ab1255d7bf610359532ccc80fefdd75f weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:cinder-public.pem check inter 5000ms server pod:cinder-b5802-api-0:cinder-public:cinder-public:10.129.0.150:8776 10.129.0.150:8776 cookie 969a906b9972f2a9e9ec091c69d348c6 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:cinder-public.pem check inter 5000ms server pod:cinder-b5802-api-1:cinder-public:cinder-public:10.130.0.108:8776 10.130.0.108:8776 cookie 6e53441114d0f6a1d3cdd8c9e9ae0e5f weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:cinder-public.pem check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:glance-default-public mode http option redispatch option forwardfor balance random timeout server 60s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie c27908ff53cf87cdb033d6a54ac4cb8e insert indirect nocache httponly secure attr SameSite=None server pod:glance-b5802-default-external-api-2:glance-default-public:glance-default-public:10.128.0.166:9292 10.128.0.166:9292 cookie acb2a9685686c211070d629a5e99d81a weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:glance-default-public.pem check inter 5000ms server pod:glance-b5802-default-external-api-0:glance-default-public:glance-default-public:10.129.0.153:9292 10.129.0.153:9292 cookie 195bca936cc686a7491af4182642d7d5 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:glance-default-public.pem check inter 5000ms server pod:glance-b5802-default-external-api-1:glance-default-public:glance-default-public:10.130.0.109:9292 10.130.0.109:9292 cookie f382a78868535dde16397555411f6e9d weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:glance-default-public.pem check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:heat-api-public mode http option redispatch option forwardfor balance random timeout server 600s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie fca5068b2cc9222a9579546247ab94fd insert indirect nocache httponly secure attr SameSite=None server pod:heat-api-db76b8b85-xpl75:heat-api-public:heat-api-public:10.128.0.163:8004 10.128.0.163:8004 cookie 86dccfb8c42b0db7f2f33972aeb29276 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:heat-api-public.pem # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:heat-cfnapi-public mode http option redispatch option forwardfor balance random timeout server 600s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 82fca24613122f4225b1434bce50a48f insert indirect nocache httponly secure attr SameSite=None server pod:heat-cfnapi-64fcdf7d54-8r455:heat-cfnapi-public:heat-cfnapi-public:10.129.0.141:8000 10.129.0.141:8000 cookie b24046808e0622e313dc3f2714ed5c63 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:heat-cfnapi-public.pem # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:ironic-public mode http option redispatch option forwardfor balance random timeout server 60s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 0dca7ebaabe70eef509e843674c09f5f insert indirect nocache httponly secure attr SameSite=None server pod:ironic-d55d46749-qq6mv:ironic-public:ironic-public:10.130.0.103:6385 10.130.0.103:6385 cookie ad8296bb8dea9e05eb1b786103c992d7 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:ironic-public.pem # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:keystone-public mode http option redispatch option forwardfor balance random timeout server 60s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie b5697f82cf3c19ece8be533395142512 insert indirect nocache httponly secure attr SameSite=None server pod:keystone-848fcbb4df-54n8l:keystone-public:keystone-public:10.128.0.148:5000 10.128.0.148:5000 cookie 867cd985f3ea95f6c6b05c72aa1ef6da weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:keystone-public.pem check inter 5000ms server pod:keystone-848fcbb4df-cn592:keystone-public:keystone-public:10.129.0.128:5000 10.129.0.128:5000 cookie ad924bd94bd3a9d0bf357b1efac01a01 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:keystone-public.pem check inter 5000ms server pod:keystone-848fcbb4df-dr4lc:keystone-public:keystone-public:10.130.0.91:5000 10.130.0.91:5000 cookie 55876138b944eb9a7625d2082d1541f4 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:keystone-public.pem check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:neutron-public mode http option redispatch option forwardfor balance random timeout server 120s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 38cec1d9c789c59243203143f8ef839e insert indirect nocache httponly secure attr SameSite=None server pod:neutron-748bbfcf89-tr8n2:neutron-public:neutron-public:10.128.0.165:9696 10.128.0.165:9696 cookie 745e8a60905417ad7abca6db8b9522d9 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:neutron-public.pem check inter 5000ms server pod:neutron-748bbfcf89-vpkvr:neutron-public:neutron-public:10.129.0.133:9696 10.129.0.133:9696 cookie d603534fc1b508e544172375a8dd0ff9 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:neutron-public.pem check inter 5000ms server pod:neutron-748bbfcf89-9smpw:neutron-public:neutron-public:10.130.0.110:9696 10.130.0.110:9696 cookie a3a9bd27b7c27985aa8c3bcb36ad37d4 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:neutron-public.pem check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:nova-novncproxy-cell1-public mode http option redispatch option forwardfor balance random timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie a73a87c057a3561705860aa1e8d4d32f insert indirect nocache httponly secure attr SameSite=None server pod:nova-cell1-novncproxy-0:nova-novncproxy-cell1-public:nova-novncproxy-cell1-public:10.129.0.166:6080 10.129.0.166:6080 cookie 097944df7348c258f1839679de002861 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:nova-novncproxy-cell1-public.pem # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:nova-public mode http option redispatch option forwardfor balance random timeout server 60s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 0dc6017b143850df8350099417b4ec9f insert indirect nocache httponly secure attr SameSite=None server pod:nova-api-2:nova-public:nova-public:10.128.0.179:8774 10.128.0.179:8774 cookie 8c9bd47fc778615f7aae36b947b7806e weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:nova-public.pem check inter 5000ms server pod:nova-api-0:nova-public:nova-public:10.129.0.176:8774 10.129.0.176:8774 cookie cbdb8089342cad7159fbb27325998fbe weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:nova-public.pem check inter 5000ms server pod:nova-api-1:nova-public:nova-public:10.130.0.121:8774 10.130.0.121:8774 cookie e792617ce46fb54e70251c61874e5eb2 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:nova-public.pem check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:octavia-public mode http option redispatch option forwardfor balance random timeout server 120s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 8bd08ef9a33f1b163c825e6cba69ceff insert indirect nocache httponly secure attr SameSite=None server pod:octavia-api-7f8fd8dbdd-z9j79:octavia-public:octavia-public:10.129.0.189:9876 10.129.0.189:9876 cookie d49f4807f65e803fde3f97c913663642 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:octavia-public.pem # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:placement-public mode http option redispatch option forwardfor balance random timeout server 60s timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie a0787c90e7299024e7525b97b3d9ea96 insert indirect nocache httponly secure attr SameSite=None server pod:placement-6b597cbbf8-8sdfz:placement-public:placement-public:10.128.0.144:8778 10.128.0.144:8778 cookie b298bd140117acb95f64cc62fe81bac1 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:placement-public.pem check inter 5000ms server pod:placement-6b597cbbf8-8j29d:placement-public:placement-public:10.129.0.127:8778 10.129.0.127:8778 cookie 9730fdf937f766a007d5608977882c8f weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:placement-public.pem check inter 5000ms server pod:placement-6b597cbbf8-mh4z2:placement-public:placement-public:10.130.0.90:8778 10.130.0.90:8778 cookie 64097f1fe2a77ca5ee5bfc0b815cf723 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:placement-public.pem check inter 5000ms # Plain http backend or backend with TLS terminated at the edge or a # secure backend with re-encryption. backend be_secure:openstack:swift-public mode http option redispatch option forwardfor balance random timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 8555ec7bc3b761f9a531b621867c3563 insert indirect nocache httponly secure attr SameSite=None server pod:swift-proxy-66dfdcbff8-j4jhs:swift-public:swift-public:10.128.0.156:8080 10.128.0.156:8080 cookie c4c983f3622dcfbf9d2872f4df50bf04 weight 1 ssl verify required ca-file /var/lib/haproxy/router/cacerts/openstack:swift-public.pem