blob: afe65f6534abdac85294699355b7b457d1d5e655 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
global
# all file names are relative to the directory containing this config
# file by default
default-path config
# refuse to start if any warning is emitted at boot (keep configs clean)
zero-warning
# Security hardening: isolate and drop privileges
chroot /var/empty
user haproxy
group haproxy
# daemonize
daemon
pidfile /var/run/haproxy-svc1.pid
# do not keep old processes longer than that after a reload
hard-stop-after 5m
# The command-line-interface (CLI) used by the admin, by provisionning
# tools, and to transfer sockets during reloads
stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners
stats timeout 1h
# send logs to stderr for logging via the service manager
log stderr local0 info
# intermediate security for SSL, from https://ssl-config.mozilla.org/
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# default settings common to all HTTP proxies below
defaults http
mode http
option httplog
log global
timeout client 1m
timeout server 1m
timeout connect 10s
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h # for websocket
defaults tcp
mode tcp
option tcplog
timeout client 1h
timeout server 1h
timeout connect 10s
log global
# provide a stats page on port 8181
frontend stats from http
bind localhost:8181
# provide advanced stats (ssl, h2, ...)
stats uri /
stats show-modules
stats admin if { src 127.0.0.0/8 }
frontend http from http
bind :80
option socket-stats # provide per-bind line stats
acl is_certbot path_beg -i /.well-known/acme-challenge
http-request redirect scheme https code 301 if !is_certbot
# silently ignore connect probes and pre-connect without request
option http-ignore-probes
# pass client's IP address to the server and prevent against attempts
# to inject bad contents
http-request del-header x-forwarded-for
option forwardfor
default_backend certbot
{% if certificates is defined and certificates|length > 0 %}
frontend https from http
bind :443 name secure ssl {%- for cert in certificates %} crt /usr/local/etc/haproxy/certs/{{ cert }}.pem {%- endfor %} alpn h2,http/1.1
# set HSTS for one year after all responses
http-after-response set-header Strict-Transport-Security "max-age=31536000"
http-request redirect scheme https code 301 if !{ ssl_fc }
option http-ignore-probes
# pass client's IP address to the server and prevent against attempts
# to inject bad contents
http-request del-header x-forwarded-for
option forwardfor
# enable HTTP compression of text contents
compression algo deflate gzip
compression type text/ application/javascript application/xhtml+xml image/x-icon
use_backend %[req.hdr(Host),lower]
default_backend datagubbe
{% endif %}
{% for jailname, jail in jails.items() %}
{{- jail.haproxy_conf | default('') }}
{% endfor %}
backend certbot from http
server srv localhost:7878
|
