kevin-l
3/23/2017 - 2:27 PM

Stack Exchange HAProxy

Stack Exchange HAProxy

# This is an example of the Stack Exchange Tier 1 HAProxy config
# The only things that have been changed from what we are running are: 
# 1. User names have been removed
# 2. All Passwords have been remove
# 3. IPs have been changed to use the example/documentation ranges
# 4. Rate limit numbers have been changed to randome numbers, don't read into them

userlist stats-auth
        group admin users $admin_user
        user $admin_user insecure-password $some_password
        group readonly users $some_user
        user $some_user insecure-password $some_other_password

global
        daemon
        stats socket /var/run/haproxy-t1.stat level admin
        maxconn 100000 
        pidfile /var/run/haproxy-t1.pid
        log 127.0.0.1 local0
        log  192.0.2.17   local0
	tune.bufsize 16384
        tune.maxrewrite 1024
        spread-checks 4
	log-send-hostname ny-lb05
        

defaults
        errorfile 503 /etc/haproxy-shared/errors/503.http
        errorfile 502 /etc/haproxy-shared/errors/502.http
        mode    http
        timeout connect 15s
        timeout client 60s
        timeout server 150s
        timeout queue 60s
        timeout http-request 15s
        timeout http-keep-alive 15s
	option httplog
        option redispatch
        option dontlognull
        balance source

backend be_api_1.1
	mode http
	balance roundrobin
        reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2
        reqirep ^([^\ ]*)\ /1.1/(.*) \1\ /\2

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackoverflow.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_api
	mode http
	balance roundrobin

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:api.stackexchange.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_area51_stackexchange_com
	mode http

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:area51.stackexchange.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_careers
	mode http

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:careers.stackoverflow.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_internal_api
	mode http
	balance roundrobin
        option http-server-close

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_meta_so
	mode http

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:meta.stackoverflow.com

	server ny-web10 203.0.113.110:80 check
        server ny-web11 203.0.113.111:80 check
        

backend be_mobile
	mode http

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:mobile.stackexchange.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_openid
	mode http
	balance roundrobin

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:openid.stackexchange.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_others
	mode http

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:serverfault.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_so
	mode http

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_so_crawler
	mode http
	balance roundrobin

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackoverflow.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_sstatic
	mode http
	balance roundrobin
        acl HTTP_OK status 200:399
        rspidel ^Cache-Control:.* unless HTTP_OK

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD / HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:sstatic.net

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

backend be_stackauth
	mode http
	balance roundrobin
        reqirep ^([^\ ]*)\ /1.0/(.*) \1\ /\2

	stick-table type ip size 999k expire 1m store conn_rate(30s)
	acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips
	tcp-request content  track-sc2 src
	acl conn_rate_abuse  sc2_conn_rate gt 10
	acl mark_as_abuser   sc1_inc_gpc0 gt 3
	tcp-request content  reject if conn_rate_abuse !rate_limit_whitelist mark_as_abuser

	stats enable
	acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN
	stats uri /ilovestats
	stats refresh 30s
	option httpchk HEAD /ping HTTP/1.1\r\nUser-Agent:HAProxy\r\nHost:stackauth.com

	server ny-web01 203.0.113.101:80 check
        server ny-web02 203.0.113.102:80 check
        server ny-web03 203.0.113.103:80 check
        server ny-web04 203.0.113.104:80 check
        server ny-web05 203.0.113.105:80 check
        server ny-web06 203.0.113.106:80 check
        server ny-web07 203.0.113.107:80 check
        server ny-web08 203.0.113.108:80 check
        server ny-web09 203.0.113.109:80 check
        

frontend fe_stackauth
	bind 198.51.100.21:80 name stackauth
	bind 198.51.100.145:80 name stackauth
	
	
	log global
	
	stick-table type ip size 999k expire 1m store conn_rate(30s)

        capture request header Referer               len 64
        capture request header User-Agent            len 128
        capture request header Host                  len 64
        capture request header X-Forwarded-For       len 64
        capture request header Accept-Encoding       len 64
        capture response header Content-Encoding     len 64
        capture response header X-Page-View          len 1
        capture response header X-Route-Name         len 64
        capture response header X-Account-Id         len 7     
        capture response header X-Sql-Count          len 4
        capture response header X-Sql-Duration-Ms    len 7
        capture response header X-AspNet-Duration-Ms len 7
        capture response header X-Application-Id     len 5
        capture response header X-Request-Guid       len 36
        capture response header X-Redis-Count        len 4
        capture response header X-Redis-Duration-Ms  len 7
        capture response header X-Http-Count         len 4
        capture response header X-Http-Duration-Ms   len 7
        capture response header X-TE-Count           len 4
        capture response header X-TE-Duration-Ms     len 7

	rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms):

	maxconn 40000
	
	option http-server-close
	option forwardfor
	option httplog

	
        acl source_is_serious_abuse src_conn_rate(fe_stackauth) gt 20


        acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips

        acl api_only_ips src -f /etc/haproxy-shared/api-only-ips
        acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist

        acl is_crawler src -f /etc/haproxy-shared/crawlers
        acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua
        
        acl source_is_abuser src_get_gpc0(fe_stackauth) gt 0

 

 

 

	


        tcp-request connection track-sc1 src if !source_is_abuser
	
 
	default_backend be_stackauth
frontend http-in
	bind 198.51.100.16:80 name stackexchange
	bind 198.51.100.17:80 name careers
	bind 198.51.100.30:80 name careers.sstatic.net
	bind 198.51.100.18:80 name openid
	bind 198.51.100.24:80 name misc
	bind 198.51.100.140:80 name stackexchange
	bind 198.51.100.141:80 name careers
	bind 198.51.100.154:80 name careers.sstatic.net
	bind 198.51.100.142:80 name openid
	bind 198.51.100.148:80 name misc
	
	
	log global
	
	stick-table type ip size 999k expire 1m store conn_rate(30s)

        capture request header Referer               len 64
        capture request header User-Agent            len 128
        capture request header Host                  len 64
        capture request header X-Forwarded-For       len 64
        capture request header Accept-Encoding       len 64
        capture response header Content-Encoding     len 64
        capture response header X-Page-View          len 1
        capture response header X-Route-Name         len 64
        capture response header X-Account-Id         len 7     
        capture response header X-Sql-Count          len 4
        capture response header X-Sql-Duration-Ms    len 7
        capture response header X-AspNet-Duration-Ms len 7
        capture response header X-Application-Id     len 5
        capture response header X-Request-Guid       len 36
        capture response header X-Redis-Count        len 4
        capture response header X-Redis-Duration-Ms  len 7
        capture response header X-Http-Count         len 4
        capture response header X-Http-Duration-Ms   len 7
        capture response header X-TE-Count           len 4
        capture response header X-TE-Duration-Ms     len 7

	rspidel ^(X-Page-View|Server|X-Route-Name|X-Account-Id|X-Sql-Count|X-Sql-Duration-Ms|X-AspNet-Duration-Ms|X-Application-Id|X-Request-Guid|X-Redis-Count|X-Redis-Duration-Ms|X-Http-Count|X-Http-Duration-Ms|X-TE-Count|X-TE-Duration-Ms):

	maxconn 40000
	
	option http-server-close
	option forwardfor
	option httplog

	
        acl source_is_serious_abuse src_conn_rate(http-in) gt 1000


        acl rate_limit_whitelist src -f /etc/haproxy-shared/whitelist-ips

        acl api_only_ips src -f /etc/haproxy-shared/api-only-ips
        acl api_only_whitelist src -f /etc/haproxy-shared/api-only-whitelist

        acl is_crawler src -f /etc/haproxy-shared/crawlers
        acl is_crawler_ua hdr(user-agent) -f /etc/haproxy-shared/crawlers_ua
        
        acl source_is_abuser src_get_gpc0(http-in) gt 2

	acl is_feeds path_beg /feeds/
	acl is_internal_api path_beg /api/
	acl is_careers hdr_beg(host) -i careers. jobs.
	acl is_so hdr_end(host) -i stackoverflow.com
	acl is_sstatic hdr_end(host) -i sstatic.net
	acl is_stackauth hdr_end(host) -i stackauth.com
	acl is_se hdr_end(host) -i stackexchange.com
	acl is_area51 hdr(host) -i area51.stackexchange.com
	acl is_mobile hdr(host) -i mobile.stackexchange.com
	acl is_stackexchange_com hdr(host) -i stackexchange.com
	acl is_meta_so hdr_end(host) -i meta.stackoverflow.com
	acl is_dev_meta_webapps hdr_end(host) -i meta.dev.webapps.stackexchange.com
	acl is_dev_fb hdr_end(host) -i fb.dev.stackoverflow.com
	acl is_api_2 hdr(host) -i api.stackexchange.com
	acl is_api hdr_sub(host) -i api
	acl is_api_1.0 path_beg /1.0/
	acl is_api_1.1 path_beg /1.1/
	acl is_api_root path /
	acl is_api_static path_beg -i /admin /content /crossdomain.xml /clientaccesspolicy.xml /robots.txt
	acl is_dev hdr_beg(host) -i dev.
	acl is_dev_discuss hdr_end(host) -i discuss.dev.area51.stackexchange.com
	acl is_openid hdr_beg(host) -i openid.stackexchange.com
	acl is_80 dst_port 80
	acl is_ssl hdr_beg(X-SSL) -i yes
	acl is_chat_yodeya hdr(host) -i chat.yodeya.com chat.miyodeya.com
	acl is_bam_yodeya hdr(host) -i bam.yodeya.com bam.miyodeya.com
	acl is_launchparty_yodeya hdr(host) -i launchparty.yodeya.com launchparty.miyodeya.com
	acl is_me_yodeya hdr(host) -i me.yodeya.com me.miyodeya.com
	acl is_kindle hdr_sub(user-agent) Silk-Accelerated
	acl is_akamai hdr(host) -i sstatic-a.akamaihd.net
 

 

	redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_chat_yodeya
	redirect prefix http://chat.stackexchange.com/rooms/468 code 301 if is_bam_yodeya
	redirect prefix http://meta.judaism.stackexchange.com/questions/1134 code 301 if is_launchparty_yodeya
	redirect prefix http://judaism.stackexchange.com code 301 if is_me_yodeya
	redirect prefix https://openid.stackexchange.com code 301 if is_80 is_openid !is_ssl
 

	

        tcp-request connection track-sc1 src if !source_is_abuser
	
	use_backend be_internal_api if is_internal_api !is_careers
	use_backend be_api_1.1 if is_api is_api_1.0
	use_backend be_api_1.1 if is_api is_api_1.1
	use_backend be_api if is_api_2
	use_backend be_api_1.1 if is_api is_api_static
	use_backend be_api_1.1 if is_api is_api_root
	use_backend be_bad_api if is_api
	use_backend be_sstatic if is_sstatic
	use_backend be_sstatic if is_akamai
	use_backend be_mobile if is_mobile
	use_backend be_area51_stackexchange_com if is_area51
	use_backend be_area51_stackexchange_com if is_stackexchange_com
	use_backend be_meta_so if is_meta_so
	use_backend be_careers if is_careers
	use_backend be_so_crawler if is_so is_crawler
	use_backend be_so_crawler if is_so is_crawler_ua
	use_backend be_so if is_so
	use_backend be_stackauth if is_stackauth
	use_backend be_openid if is_openid
 
	default_backend be_others
backend be_api_only
	mode http
	errorfile 503 /etc/haproxy-shared/errors/503apionly.http

backend be_bad_api
	mode http
	errorfile 403 /etc/haproxy-shared/errors/403.http

backend be_go-away
	mode http
	errorfile 503 /etc/haproxy-shared/errors/503rate.http

backend be_no_ssl
	mode http
	errorfile 503 /etc/haproxy-shared/errors/503nossl.http

listen t1_internal_stats
	bind 203.0.113.15:7001
	


	mode http
	balance roundrobin

 
	


        stats enable
        stats uri /ilovestats
        acl AUTH http_auth(stats-auth)
        acl AUTH_ADMIN http_auth_group(stats-auth) admin
        stats http-request auth unless AUTH
        stats admin if AUTH_ADMIN