From df35af971c0bfa7d208720bdf4cc2adb5432ab28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mai=20G=C3=A1bor?= <remaigabor@gmail.com>
Date: Wed, 18 May 2022 15:28:50 +0200
Subject: [PATCH] add haproxy 2.2 installation and cofig guide

---
 docs/HAproxy.md | 117 +++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 105 insertions(+), 12 deletions(-)

diff --git a/docs/HAproxy.md b/docs/HAproxy.md
index 2166f393..bd3a1060 100644
--- a/docs/HAproxy.md
+++ b/docs/HAproxy.md
@@ -80,22 +80,115 @@ trustProxy           : ['192.0.2.5'],
 * Install and setup haproxy
 
   `apt install haproxy`
+* Install haproxy 2.2 (recommend)
+  sudo apt-get install gnupg2 curl -y
+curl https://haproxy.debian.net/bernat.debian.org.gpg | sudo apt-key add -
+echo deb http://haproxy.debian.net buster-backports-2.2 main | sudo tee /etc/apt/sources.list.d/haproxy.list
+sudo apt-get update
+apt-get install haproxy=2.2.\*
+
+sudo systemctl start haproxy
+sudo systemctl enable haproxy
+
 
 * Add to /etc/haproxy/haproxy.cfg config
 
   ``` plaintext
-    backend edumeet
-        balance url_param roomId
-        hash-type consistent
 
-        server mm1 192.0.2.1:80 check maxconn 2000 verify none
-        server mm2 192.0.2.2:80 check maxconn 2000 verify none
-        server mm3 192.0.2.3:80 check maxconn 2000 verify none
+global
+        # mult thread setup
+        nbproc 1
+        nbthread 4
+        cpu-map auto:1/1-4 0-3
+
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats socket /run/haproxy.sock mode 660 level admin
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        # Default ciphers to use on SSL-enabled listening sockets.
+        # For more information, see ciphers(1SSL). This list is from:
+        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        # An alternative list with additional directives can be obtained from
+        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+        ssl-default-bind-options no-sslv3
+        tune.ssl.default-dh-param 2048
+        maxconn 20000
+
+defaults
+        log     global
+        mode    http
+        option  httplog
+        #option  logasap
+        #option dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+        maxconn 8192
+
+backend letsmeet-room-backend
+    fullconn 4000
+    balance url_param roomId
+    hash-type consistent
+    stick-table type string len 1024 size 100k expire 8h
+    stick store-request url_param(roomId)
+    stick match url_param(roomId)
+    stick match url_param(state),url_dec,b64dec,field(8,'\"')
+
+    server edumeet1 192.0.2.1:80 check maxconn 2000 verify none
+    server edumeet2 192.0.2.2:80 check maxconn 1000 verify none
+    server edumeet3 192.0.2.3:80 check maxconn 1000 verify none
+
+backend letsmeet-backend
+    fullconn 4000
+    balance leastconn
+    stick-table type ip size 200k expire 30m
+    stick on src
+    hash-type consistent
+
+    server edumeet1 192.0.2.1:80 check maxconn 2000 verify none
+    server edumeet2 192.0.2.2:80 check maxconn 1000 verify none
+    server edumeet3 192.0.2.3:80 check maxconn 1000 verify none
+
+frontend letsmeet
+    bind *:80
+    bind*:443 ssl crt /etc/ssl/edumeet.example.com/edumeet.example.com.pem alpn h2,http/1.1
+    http-request redirect scheme https if !{ ssl_fc }
+    http-request add-header X-Forwarded-Proto https
+    stats enable
+    stats uri /static/stats
+    #stats hide-version
+    stats refresh 10s
+    stats admin if TRUE
+    #stats admin if LOCALHOST
+    stats realm Haproxy\ Statistics
+    stats auth admin:password
+
+    maxconn 6000
+    acl roomId-acl url_param(roomId) -m found 
+    acl callback-acl path_beg /auth/callback
+    use_backend letsmeet-room-backend if roomId-acl || callback-acl
+    default_backend letsmeet-backend
 
-    frontend meet.example.com
-        bind 192.0.2.5:80
-        bind 192.0.2.5:443 ssl crt /root/certificate.pem
-        http-request redirect scheme https unless { ssl_fc }
-        reqadd X-Forwarded-Proto:\ https
-        default_backend edumeet
   ```
+
+Creating cert with letsencrypt
+
+sudo cat /etc/letsencrypt/live/edumeet.example.com/fullchain.pem     /etc/letsencrypt/live/edumeet.example.com/privkey.pem     | sudo tee /etc/ssl/edumeet.example.com/edumeet.example.com.pem