🎉 Initial commit of infraHEADmain

1 files changed, 107 insertions, 0 deletions

diff --git a/haproxy.conf.j2 b/haproxy.conf.j2
new file mode 100644
index 0000000..afe65f6
--- /dev/null
+++ b/haproxy.conf.j2
@@ -0,0 +1,107 @@
+global
+   # all file names are relative to the directory containing this config
+   # file by default
+   default-path config
+
+   # refuse to start if any warning is emitted at boot (keep configs clean)
+   zero-warning
+
+   # Security hardening: isolate and drop privileges
+   chroot /var/empty
+   user haproxy
+   group haproxy
+
+   # daemonize
+   daemon
+   pidfile /var/run/haproxy-svc1.pid
+
+   # do not keep old processes longer than that after a reload
+   hard-stop-after 5m
+
+   # The command-line-interface (CLI) used by the admin, by provisionning
+   # tools, and to transfer sockets during reloads
+   stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners
+   stats timeout 1h
+
+   # send logs to stderr for logging via the service manager
+   log stderr local0 info
+
+   # intermediate security for SSL, from https://ssl-config.mozilla.org/
+   ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+   ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+   ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+# default settings common to all HTTP proxies below
+defaults http
+  mode http
+  option httplog
+  log global
+  timeout client 1m
+  timeout server 1m
+  timeout connect 10s
+  timeout http-keep-alive 2m
+  timeout queue 15s
+  timeout tunnel 4h  # for websocket
+
+defaults tcp
+  mode tcp
+  option tcplog
+  timeout client 1h
+  timeout server 1h
+  timeout connect 10s
+  log global
+
+# provide a stats page on port 8181
+frontend stats from http
+  bind localhost:8181
+  # provide advanced stats (ssl, h2, ...)
+  stats uri /
+  stats show-modules
+  stats admin if { src 127.0.0.0/8 }
+
+frontend http from http
+  bind :80
+  option socket-stats  # provide per-bind line stats
+
+  acl is_certbot path_beg -i /.well-known/acme-challenge
+  http-request redirect scheme https code 301 if !is_certbot
+
+  # silently ignore connect probes and pre-connect without request
+  option http-ignore-probes
+
+  # pass client's IP address to the server and prevent against attempts
+  # to inject bad contents
+  http-request del-header x-forwarded-for
+  option forwardfor
+
+  default_backend certbot
+
+{% if certificates is defined and certificates|length > 0 %}
+frontend https from http
+  bind :443 name secure ssl {%- for cert in certificates %} crt /usr/local/etc/haproxy/certs/{{ cert }}.pem {%- endfor %} alpn h2,http/1.1
+
+  # set HSTS for one year after all responses
+  http-after-response set-header Strict-Transport-Security "max-age=31536000"
+  http-request redirect scheme https code 301 if !{ ssl_fc }
+
+  option http-ignore-probes
+
+  # pass client's IP address to the server and prevent against attempts
+  # to inject bad contents
+  http-request del-header x-forwarded-for
+  option forwardfor
+
+  # enable HTTP compression of text contents
+  compression algo deflate gzip
+  compression type text/ application/javascript application/xhtml+xml image/x-icon
+
+  use_backend %[req.hdr(Host),lower]
+  default_backend datagubbe
+{% endif %}
+
+{% for jailname, jail in jails.items() %}
+   {{- jail.haproxy_conf | default('') }}
+{% endfor %}
+
+backend certbot from http
+  server srv localhost:7878