110 lines
3.5 KiB
INI
110 lines
3.5 KiB
INI
global
|
|
log 127.0.0.1:514 local0
|
|
log 127.0.0.1:514 local1 notice
|
|
chroot /var/lib/haproxy
|
|
stats socket /run/haproxy_admin.sock mode 660 level admin expose-fd listeners
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20
|
|
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
|
|
ssl-default-server-ciphers AES128+ECDHE:AES256+ECDHE
|
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
|
|
option httplog
|
|
option dontlognull
|
|
|
|
option tcp-smart-connect
|
|
option tcp-smart-accept
|
|
|
|
# use kernel splice system call to lower latency
|
|
option splice-auto
|
|
|
|
option forwardfor
|
|
option socket-stats
|
|
|
|
# no option http-use-htx
|
|
|
|
timeout http-request 20s
|
|
timeout connect 5s
|
|
timeout client 50s
|
|
timeout server 50s
|
|
|
|
timeout check 800
|
|
|
|
errorfile 400 /etc/haproxy/errorfiles/400.http
|
|
errorfile 403 /etc/haproxy/errorfiles/403.http
|
|
errorfile 408 /etc/haproxy/errorfiles/408.http
|
|
errorfile 500 /etc/haproxy/errorfiles/500.http
|
|
errorfile 502 /etc/haproxy/errorfiles/502.http
|
|
errorfile 503 /etc/haproxy/errorfiles/503.http
|
|
errorfile 504 /etc/haproxy/errorfiles/504.http
|
|
|
|
|
|
frontend http
|
|
bind *:80 name http_v4
|
|
bind [::]:80 name http_v6
|
|
bind *:443 name https_v4 ssl crt /etc/haproxy/certs/mail.0rpheus.net.pem crt /etc/haproxy/certs/ ecdhe secp384r1 alpn h2,http/1.1
|
|
bind [::]:443 name https_v6 ssl crt /etc/haproxy/certs/mail.0rpheus.net.pem crt /etc/haproxy/certs/ ecdhe secp384r1 alpn h2,http/1.1
|
|
|
|
compression algo gzip
|
|
compression type text/html text/plain text/javascript application/javascript application/xml text/css
|
|
|
|
# HSTS (31536000 seconds = 1 year)
|
|
http-response set-header Strict-Transport-Security max-age=31536000
|
|
http-response set-header X-Content-Type-Options nosniff
|
|
|
|
# set protocoll headers to https - works only if all https redirects happens in HAProxy
|
|
http-request set-header HTTP_X_FORWARDED_PROTO https
|
|
http-request set-header X-Forwarded-Proto https
|
|
|
|
|
|
# force https for known domains
|
|
acl hostname_has_backend hdr(Host),lower,map(/etc/haproxy/hostname2backend.map) -m found
|
|
http-request redirect scheme https code 301 if !{ ssl_fc } hostname_has_backend
|
|
|
|
# Let's encrypt
|
|
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
|
|
http-request set-header Host certbot if letsencrypt-acl
|
|
use_backend bk_apache if letsencrypt-acl
|
|
|
|
# stats backend
|
|
acl stats-acl path_beg /haproxy
|
|
use_backend bk_stats if stats-acl
|
|
|
|
# routing for known domains
|
|
use_backend bk_%[hdr(Host),lower,map(/etc/haproxy/hostname2backend.map)] if hostname_has_backend
|
|
|
|
|
|
{% for backend in haproxy_backends %}
|
|
backend bk_{{ backend }}
|
|
{% if haproxy_backends[backend]["httpchk"] is defined %}
|
|
option httpchk {{ haproxy_backends[backend]["httpchk"] }}
|
|
{% endif %}
|
|
|
|
{% for server_def in haproxy_backends[backend]["server_defs"] %}
|
|
server {{ server_def }}
|
|
{% endfor %}
|
|
|
|
|
|
{% endfor %}
|
|
backend bk_stats
|
|
# statistics backend
|
|
stats uri /
|
|
stats enable
|
|
stats show-node
|
|
stats refresh 30s
|
|
|