-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy-header.cfg
96 lines (84 loc) · 4.13 KB
/
haproxy-header.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2048
tune.ssl.default-dh-param 2048
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options ssl-min-ver TLSv1.2
defaults
log global
mode http
# option httplog
option dontlognull
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
# use backend compression instead
# compression algo gzip
# compression type text/html text/plain text/css text/json application/json
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind :80,:::80
mode http
option forwardfor
# Report HAProxy health status
monitor-uri /haproxy-status
# Disable next 2 lines for debug logging
# http-request capture req.hdr(host) len 64
# log-format "%ci:%cp [%tr] http %s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %[capture.req.hdr(0)] %{+Q}r"
http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80
acl is-blocked-ip src -f /etc/haproxy/blocked.ips
http-request deny if is-blocked-ip
acl letsencrypt-acl path_beg /.well-known/
use_backend letsencrypt-backend if letsencrypt-acl
use_backend %[req.hdr(host),field(1,:),lower,map_str(/etc/haproxy/domain2backend.map,bk_default)]
frontend https-in
bind :443,:::443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
mode http
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth {{haproxy_stats_user}}:{{haproxy_stats_password}}
option forwardfor
# Disable next 2 lines for debug logging
# http-request capture req.hdr(host) len 64
# log-format "%ci:%cp [%tr] https %s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %[capture.req.hdr(0)] %{+Q}r"
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
acl is-blocked-ip src -f /etc/haproxy/blocked.ips
http-request deny if is-blocked-ip
use_backend %[req.hdr(host),field(1,:),lower,map_str(/etc/haproxy/domain2backend.map,bk_default)]
backend nocontent
errorfile 503 /etc/haproxy/errors/204-nocontent.http
backend permredirect
http-request redirect code 301 location %[req.hdr(host),lower,map_str(/etc/haproxy/domain2redirect.map,http://www.defaultdomain.tld)]
backend permprefix
http-request redirect code 301 prefix %[req.hdr(host),lower,map_str(/etc/haproxy/domain2prefix.map,http://www.defaultdomain.tld)]
backend tempredirect
http-request redirect code 302 location %[req.hdr(host),lower,map_str(/etc/haproxy/domain2redirect.map,http://www.defaultdomain.tld)]
backend tempprefix
http-request redirect code 302 prefix %[req.hdr(host),lower,map_str(/etc/haproxy/domain2prefix.map,http://www.defaultdomain.tld)]
backend bk_default
server bkdef {{haproxy_default_backend_ipport}}