HAProxy/05backends.cfg

resolvers incus
  nameserver incus 10.10.10.1:53

  # Maximum size of a DNS answer allowed, in bytes
  accepted_payload_size 512

  # Whether to add nameservers found in /etc/resolv.conf
  parse-resolv-conf

  # How long to "hold" a backend server's up/down status depending on the name resolution status.
  # For example, if an NXDOMAIN response is returned, keep the backend server in its current state (up) for
  # at least another 30 seconds before marking it as down due to DNS not having a record for it.
  hold valid    10s
  hold other    30s
  hold refused  30s
  hold nx       30s
  hold timeout  30s
  hold obsolete 30s

  # How many times to retry a query
  resolve_retries 3

  # How long to wait between retries when no valid response has been received
  timeout retry 1s

  # How long to wait for a successful resolution
  timeout resolve 1s

# Backends
backend default
  tcp-request content reject

backend letsencrypt
  server certbot 127.0.0.1:8899

backend laminar
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "cross-origin"
  http-response set-header Cache-Control max-age=31536000
  server laminar laminar.incus:8080 check resolvers incus init-addr last,libc,none

backend forgejo
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server forgejo forgejo.incus:3000 check resolvers incus init-addr last,libc,none

backend mastodon
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server mastodon mastodon2.incus:80 send-proxy check resolvers incus init-addr last,libc,none

backend linkding
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server linkding linkding.incus:9090 check resolvers incus init-addr last,libc,none

backend archive
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  http-response set-header Cache-Control max-age=31536000
  server archive archive.incus:80 check resolvers incus init-addr last,libc,none

backend adguard
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server adguard adguard.incus:443 check ssl verify none resolvers incus init-addr last,libc,none

backend vaultwarden
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server vaultwarden vaultwarden.incus:80 check resolvers incus init-addr last,libc,none

backend kanboard
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server kanboard kanboard.incus:80 check resolvers incus init-addr last,libc,none

backend photoprism
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server photoprism photoprism.incus:2342 check resolvers incus init-addr last,libc,none

backend miniflux
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server miniflux miniflux.incus:8080 check resolvers incus init-addr last,libc,none

backend www
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  http-response set-header Cache-Control max-age=31536000
  server www www.incus:80 check resolvers incus init-addr last,libc,none

backend navidrome
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server navidrome navidrome.incus:4533 check resolvers incus init-addr last,libc,none

backend mailcow
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server mailcow mailcow.incus:80 check resolvers incus init-addr last,libc,none

backend beszel
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "same-origin"
  server beszel beszel.incus:8090 check resolvers incus init-addr last,libc,none

backend uptime-kuma
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # add some Security headers
  http-response set-header X-Frame-Options "SAMEORIGIN"
  http-response set-header X-Content-Type-Options "nosniff"
  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
  http-response set-header Cross-Origin-Resource-Policy "cross-origin"
  server uptime-kuma mxmon:3001 check resolvers incus init-addr last,libc,none

backend nefarious
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  server nefarious nefarious.incus:8000 check resolvers incus init-addr last,libc,none

backend nefarious-jackett
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  server nefarious-jackett nefarious.incus:9117 check resolvers incus init-addr last,libc,none

backend nefarious-transmission
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  server nefarious-transmission nefarious.incus:9091 check resolvers incus init-addr last,libc,none

backend jellyfin
  # set HSTS for one year after all responses
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  server jellyfin jellyfin.incus:8096 check resolvers incus init-addr last,libc,none
Add resolvers 2025-02-21 19:52:34 +09:00			`resolvers incus`
			`nameserver incus 10.10.10.1:53`

			`# Maximum size of a DNS answer allowed, in bytes`
			`accepted_payload_size 512`

			`# Whether to add nameservers found in /etc/resolv.conf`
			`parse-resolv-conf`

			`# How long to "hold" a backend server's up/down status depending on the name resolution status.`
			`# For example, if an NXDOMAIN response is returned, keep the backend server in its current state (up) for`
			`# at least another 30 seconds before marking it as down due to DNS not having a record for it.`
			`hold valid 10s`
			`hold other 30s`
			`hold refused 30s`
			`hold nx 30s`
			`hold timeout 30s`
			`hold obsolete 30s`

			`# How many times to retry a query`
			`resolve_retries 3`

			`# How long to wait between retries when no valid response has been received`
			`timeout retry 1s`

			`# How long to wait for a successful resolution`
			`timeout resolve 1s`

Import conf 2024-10-08 19:25:39 +09:00			`# Backends`
			`backend default`
			`tcp-request content reject`

			`backend letsencrypt`
			`server certbot 127.0.0.1:8899`

			`backend laminar`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
Laminar: allow cross-origin 2025-02-14 23:13:04 +09:00			`http-response set-header Cross-Origin-Resource-Policy "cross-origin"`
Add set-header Cache-Control 2025-02-14 23:24:44 +09:00			`http-response set-header Cache-Control max-age=31536000`
Add resolvers 2025-02-21 19:52:34 +09:00			`server laminar laminar.incus:8080 check resolvers incus init-addr last,libc,none`
Import conf 2024-10-08 19:25:39 +09:00
			`backend forgejo`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server forgejo forgejo.incus:3000 check resolvers incus init-addr last,libc,none`
Add mastodon 2024-10-11 20:09:51 +09:00
Fix backend name 2024-10-11 20:11:54 +09:00			`backend mastodon`
Add mastodon 2024-10-11 20:09:51 +09:00			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server mastodon mastodon2.incus:80 send-proxy check resolvers incus init-addr last,libc,none`
Add Linkding 2024-11-14 21:38:15 +09:00
			`backend linkding`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server linkding linkding.incus:9090 check resolvers incus init-addr last,libc,none`
Add archive 2024-11-20 20:18:51 +09:00
			`backend archive`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add set-header Cache-Control 2025-02-14 23:24:44 +09:00			`http-response set-header Cache-Control max-age=31536000`
Add resolvers 2025-02-21 19:52:34 +09:00			`server archive archive.incus:80 check resolvers incus init-addr last,libc,none`
Add adguard 2024-11-27 21:28:44 +09:00
			`backend adguard`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server adguard adguard.incus:443 check ssl verify none resolvers incus init-addr last,libc,none`
Add vaultwarden 2025-02-11 15:27:53 +09:00
			`backend vaultwarden`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server vaultwarden vaultwarden.incus:80 check resolvers incus init-addr last,libc,none`
Add Kanboard 2025-02-11 18:05:28 +09:00
			`backend kanboard`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server kanboard kanboard.incus:80 check resolvers incus init-addr last,libc,none`
Add photoprism 2025-02-12 22:40:12 +09:00
			`backend photoprism`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server photoprism photoprism.incus:2342 check resolvers incus init-addr last,libc,none`
Add miniflux 2025-02-14 21:15:43 +09:00
			`backend miniflux`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server miniflux miniflux.incus:8080 check resolvers incus init-addr last,libc,none`
Add www 2025-02-14 22:36:42 +09:00
			`backend www`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add set-header Cache-Control 2025-02-14 23:24:44 +09:00			`http-response set-header Cache-Control max-age=31536000`
Add resolvers 2025-02-21 19:52:34 +09:00			`server www www.incus:80 check resolvers incus init-addr last,libc,none`
Add navidrome 2025-02-15 08:39:30 +09:00
			`backend navidrome`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server navidrome navidrome.incus:4533 check resolvers incus init-addr last,libc,none`
Add mailcow 2025-02-15 10:30:44 +09:00
			`backend mailcow`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server mailcow mailcow.incus:80 check resolvers incus init-addr last,libc,none`
Add mxmon 2025-02-15 19:01:06 +09:00
Add beszel 2025-02-16 18:17:27 +09:00			`backend beszel`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
			`http-response set-header Cross-Origin-Resource-Policy "same-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server beszel beszel.incus:8090 check resolvers incus init-addr last,libc,none`
Add beszel 2025-02-16 18:17:27 +09:00
Add mxmon 2025-02-15 19:01:06 +09:00			`backend uptime-kuma`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`# add some Security headers`
			`http-response set-header X-Frame-Options "SAMEORIGIN"`
			`http-response set-header X-Content-Type-Options "nosniff"`
			`http-response set-header Referrer-Policy "strict-origin-when-cross-origin"`
uptime-kuma: allow cross origin 2025-02-16 10:53:11 +09:00			`http-response set-header Cross-Origin-Resource-Policy "cross-origin"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server uptime-kuma mxmon:3001 check resolvers incus init-addr last,libc,none`
Add nefarious 2025-02-19 19:51:51 +09:00
			`backend nefarious`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server nefarious nefarious.incus:8000 check resolvers incus init-addr last,libc,none`
Add nefarious 2025-02-19 19:51:51 +09:00
			`backend nefarious-jackett`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server nefarious-jackett nefarious.incus:9117 check resolvers incus init-addr last,libc,none`
Add nefarious 2025-02-19 19:51:51 +09:00
			`backend nefarious-transmission`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server nefarious-transmission nefarious.incus:9091 check resolvers incus init-addr last,libc,none`
Add jellyfin 2025-02-19 22:07:29 +09:00
			`backend jellyfin`
			`# set HSTS for one year after all responses`
			`http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
Add resolvers 2025-02-21 19:52:34 +09:00			`server jellyfin jellyfin.incus:8096 check resolvers incus init-addr last,libc,none`