Add systemd override

00global.cfg

@@ -0,0 +1,20 @@
+global
+  log /dev/log local0
+  log /dev/log local1 notice
+  chroot /var/lib/haproxy
+  stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+  stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
+
+  # TLS config
+  ca-base /etc/ssl/certs
+  crt-base /etc/ssl/private
+  # generated 2024-08-10, Mozilla Guideline v5.7, HAProxy 2.8.5, OpenSSL 3.0.13, modern configuration, no OCSP
+  # https://ssl-config.mozilla.org/#server=haproxy&version=2.8.5&config=modern&openssl=3.0.13&ocsp=false&guideline=5.7
+  # modern configuration
+  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+  ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
+  ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

01defaults.cfg

@@ -0,0 +1,18 @@
+defaults
+  log global
+  mode http
+  option httplog
+  option dontlognull
+  timeout connect 5s
+  timeout client 1m
+  timeout server 1m
+  timeout http-keep-alive 2m
+  timeout queue 15s
+  timeout tunnel 4h # for websocket
+  errorfile 400 /etc/haproxy/errors/400.http
+  errorfile 403 /etc/haproxy/errors/403.http
+  errorfile 408 /etc/haproxy/errors/408.http
+  errorfile 500 /etc/haproxy/errors/500.http
+  errorfile 502 /etc/haproxy/errors/502.http
+  errorfile 503 /etc/haproxy/errors/503.http
+  errorfile 504 /etc/haproxy/errors/504.http

02cache.cfg

@@ -0,0 +1,7 @@
+# The cache instance used by the frontend (256MB, 50MB max object, 1 hour max)
+# May be consulted using "show cache" on the CLI socket
+cache cache
+  total-max-size 256 # RAM cache size in megabytes
+  max-object-size 52428800 # max cacheable object size in bytes
+  max-age 3600 # max cache duration in seconds
+  process-vary on # handle the Vary header (otherwise don't cache)

03frontends.cfg

@@ -0,0 +1,302 @@
+frontend stats
+  mode http
+  bind *:8404
+  stats enable
+  stats uri /stats
+  stats refresh 10s
+  stats admin if LOCALHOST
+
+frontend frontend_default
+  bind :80 name http
+  bind :::80 name httpv6 v6only
+  # Sadly we can't use strict-sni because of Let's Encrypt challenge on https
+  bind :443 name https ssl crt /etc/haproxy/crt alpn h2,http/1.1
+  bind :::443 name httpsv6 v6only ssl crt /etc/haproxy/crt alpn h2,http/1.1
+
+  # silently ignore connect probes and pre-connect without request
+  option http-ignore-probes
+
+  # pass client's IP address to the server and prevent against attempts
+  # to inject bad contents
+  http-request del-header x-forwarded-for
+  option forwardfor
+
+  # enable HTTP compression of text contents
+  compression algo deflate gzip
+  compression type text/ application/javascript application/xhtml+xml image/x-icon
+
+  # enable HTTP caching of any cacheable content
+  http-request  cache-use cache
+  http-response cache-store cache
+
+  # Redirect to HTTPS
+  http-request redirect scheme https unless { ssl_fc }
+
+  # ACLs
+  # ACL for country blocks
+  acl AD src -f /etc/haproxy/country/AD.txt
+  acl AE src -f /etc/haproxy/country/AE.txt
+  acl AF src -f /etc/haproxy/country/AF.txt
+  acl AG src -f /etc/haproxy/country/AG.txt
+  acl AI src -f /etc/haproxy/country/AI.txt
+  acl AL src -f /etc/haproxy/country/AL.txt
+  acl AM src -f /etc/haproxy/country/AM.txt
+  acl AO src -f /etc/haproxy/country/AO.txt
+  acl AQ src -f /etc/haproxy/country/AQ.txt
+  acl AR src -f /etc/haproxy/country/AR.txt
+  acl AS src -f /etc/haproxy/country/AS.txt
+  acl AT src -f /etc/haproxy/country/AT.txt
+  acl AU src -f /etc/haproxy/country/AU.txt
+  acl AW src -f /etc/haproxy/country/AW.txt
+  acl AX src -f /etc/haproxy/country/AX.txt
+  acl AZ src -f /etc/haproxy/country/AZ.txt
+  acl BA src -f /etc/haproxy/country/BA.txt
+  acl BB src -f /etc/haproxy/country/BB.txt
+  acl BD src -f /etc/haproxy/country/BD.txt
+  acl BE src -f /etc/haproxy/country/BE.txt
+  acl BF src -f /etc/haproxy/country/BF.txt
+  acl BG src -f /etc/haproxy/country/BG.txt
+  acl BH src -f /etc/haproxy/country/BH.txt
+  acl BI src -f /etc/haproxy/country/BI.txt
+  acl BJ src -f /etc/haproxy/country/BJ.txt
+  acl BL src -f /etc/haproxy/country/BL.txt
+  acl BM src -f /etc/haproxy/country/BM.txt
+  acl BN src -f /etc/haproxy/country/BN.txt
+  acl BO src -f /etc/haproxy/country/BO.txt
+  acl BQ src -f /etc/haproxy/country/BQ.txt
+  acl BR src -f /etc/haproxy/country/BR.txt
+  acl BS src -f /etc/haproxy/country/BS.txt
+  acl BT src -f /etc/haproxy/country/BT.txt
+  acl BV src -f /etc/haproxy/country/BV.txt
+  acl BW src -f /etc/haproxy/country/BW.txt
+  acl BY src -f /etc/haproxy/country/BY.txt
+  acl BZ src -f /etc/haproxy/country/BZ.txt
+  acl CA src -f /etc/haproxy/country/CA.txt
+  acl CC src -f /etc/haproxy/country/CC.txt
+  acl CD src -f /etc/haproxy/country/CD.txt
+  acl CF src -f /etc/haproxy/country/CF.txt
+  acl CG src -f /etc/haproxy/country/CG.txt
+  acl CH src -f /etc/haproxy/country/CH.txt
+  acl CI src -f /etc/haproxy/country/CI.txt
+  acl CK src -f /etc/haproxy/country/CK.txt
+  acl CL src -f /etc/haproxy/country/CL.txt
+  acl CM src -f /etc/haproxy/country/CM.txt
+  acl CN src -f /etc/haproxy/country/CN.txt
+  acl CO src -f /etc/haproxy/country/CO.txt
+  acl CR src -f /etc/haproxy/country/CR.txt
+  acl CU src -f /etc/haproxy/country/CU.txt
+  acl CV src -f /etc/haproxy/country/CV.txt
+  acl CW src -f /etc/haproxy/country/CW.txt
+  acl CX src -f /etc/haproxy/country/CX.txt
+  acl CY src -f /etc/haproxy/country/CY.txt
+  acl CZ src -f /etc/haproxy/country/CZ.txt
+  acl DE src -f /etc/haproxy/country/DE.txt
+  acl DJ src -f /etc/haproxy/country/DJ.txt
+  acl DK src -f /etc/haproxy/country/DK.txt
+  acl DM src -f /etc/haproxy/country/DM.txt
+  acl DO src -f /etc/haproxy/country/DO.txt
+  acl DZ src -f /etc/haproxy/country/DZ.txt
+  acl EC src -f /etc/haproxy/country/EC.txt
+  acl EE src -f /etc/haproxy/country/EE.txt
+  acl EG src -f /etc/haproxy/country/EG.txt
+  acl EH src -f /etc/haproxy/country/EH.txt
+  acl ER src -f /etc/haproxy/country/ER.txt
+  acl ES src -f /etc/haproxy/country/ES.txt
+  acl ET src -f /etc/haproxy/country/ET.txt
+  acl FI src -f /etc/haproxy/country/FI.txt
+  acl FJ src -f /etc/haproxy/country/FJ.txt
+  acl FK src -f /etc/haproxy/country/FK.txt
+  acl FM src -f /etc/haproxy/country/FM.txt
+  acl FO src -f /etc/haproxy/country/FO.txt
+  acl FR src -f /etc/haproxy/country/FR.txt
+  acl GA src -f /etc/haproxy/country/GA.txt
+  acl GB src -f /etc/haproxy/country/GB.txt
+  acl GD src -f /etc/haproxy/country/GD.txt
+  acl GE src -f /etc/haproxy/country/GE.txt
+  acl GF src -f /etc/haproxy/country/GF.txt
+  acl GG src -f /etc/haproxy/country/GG.txt
+  acl GH src -f /etc/haproxy/country/GH.txt
+  acl GI src -f /etc/haproxy/country/GI.txt
+  acl GL src -f /etc/haproxy/country/GL.txt
+  acl GM src -f /etc/haproxy/country/GM.txt
+  acl GN src -f /etc/haproxy/country/GN.txt
+  acl GP src -f /etc/haproxy/country/GP.txt
+  acl GQ src -f /etc/haproxy/country/GQ.txt
+  acl GR src -f /etc/haproxy/country/GR.txt
+  acl GS src -f /etc/haproxy/country/GS.txt
+  acl GT src -f /etc/haproxy/country/GT.txt
+  acl GU src -f /etc/haproxy/country/GU.txt
+  acl GW src -f /etc/haproxy/country/GW.txt
+  acl GY src -f /etc/haproxy/country/GY.txt
+  acl HK src -f /etc/haproxy/country/HK.txt
+  acl HM src -f /etc/haproxy/country/HM.txt
+  acl HN src -f /etc/haproxy/country/HN.txt
+  acl HR src -f /etc/haproxy/country/HR.txt
+  acl HT src -f /etc/haproxy/country/HT.txt
+  acl HU src -f /etc/haproxy/country/HU.txt
+  acl ID src -f /etc/haproxy/country/ID.txt
+  acl IE src -f /etc/haproxy/country/IE.txt
+  acl IL src -f /etc/haproxy/country/IL.txt
+  acl IM src -f /etc/haproxy/country/IM.txt
+  acl IN src -f /etc/haproxy/country/IN.txt
+  acl IO src -f /etc/haproxy/country/IO.txt
+  acl IQ src -f /etc/haproxy/country/IQ.txt
+  acl IR src -f /etc/haproxy/country/IR.txt
+  acl IS src -f /etc/haproxy/country/IS.txt
+  acl IT src -f /etc/haproxy/country/IT.txt
+  acl JE src -f /etc/haproxy/country/JE.txt
+  acl JM src -f /etc/haproxy/country/JM.txt
+  acl JO src -f /etc/haproxy/country/JO.txt
+  acl JP src -f /etc/haproxy/country/JP.txt
+  acl KE src -f /etc/haproxy/country/KE.txt
+  acl KG src -f /etc/haproxy/country/KG.txt
+  acl KH src -f /etc/haproxy/country/KH.txt
+  acl KI src -f /etc/haproxy/country/KI.txt
+  acl KM src -f /etc/haproxy/country/KM.txt
+  acl KN src -f /etc/haproxy/country/KN.txt
+  acl KP src -f /etc/haproxy/country/KP.txt
+  acl KR src -f /etc/haproxy/country/KR.txt
+  acl KW src -f /etc/haproxy/country/KW.txt
+  acl KY src -f /etc/haproxy/country/KY.txt
+  acl KZ src -f /etc/haproxy/country/KZ.txt
+  acl LA src -f /etc/haproxy/country/LA.txt
+  acl LB src -f /etc/haproxy/country/LB.txt
+  acl LC src -f /etc/haproxy/country/LC.txt
+  acl LI src -f /etc/haproxy/country/LI.txt
+  acl LK src -f /etc/haproxy/country/LK.txt
+  acl LR src -f /etc/haproxy/country/LR.txt
+  acl LS src -f /etc/haproxy/country/LS.txt
+  acl LT src -f /etc/haproxy/country/LT.txt
+  acl LU src -f /etc/haproxy/country/LU.txt
+  acl LV src -f /etc/haproxy/country/LV.txt
+  acl LY src -f /etc/haproxy/country/LY.txt
+  acl MA src -f /etc/haproxy/country/MA.txt
+  acl MC src -f /etc/haproxy/country/MC.txt
+  acl MD src -f /etc/haproxy/country/MD.txt
+  acl ME src -f /etc/haproxy/country/ME.txt
+  acl MF src -f /etc/haproxy/country/MF.txt
+  acl MG src -f /etc/haproxy/country/MG.txt
+  acl MH src -f /etc/haproxy/country/MH.txt
+  acl MK src -f /etc/haproxy/country/MK.txt
+  acl ML src -f /etc/haproxy/country/ML.txt
+  acl MM src -f /etc/haproxy/country/MM.txt
+  acl MN src -f /etc/haproxy/country/MN.txt
+  acl MO src -f /etc/haproxy/country/MO.txt
+  acl MP src -f /etc/haproxy/country/MP.txt
+  acl MQ src -f /etc/haproxy/country/MQ.txt
+  acl MR src -f /etc/haproxy/country/MR.txt
+  acl MS src -f /etc/haproxy/country/MS.txt
+  acl MT src -f /etc/haproxy/country/MT.txt
+  acl MU src -f /etc/haproxy/country/MU.txt
+  acl MV src -f /etc/haproxy/country/MV.txt
+  acl MW src -f /etc/haproxy/country/MW.txt
+  acl MX src -f /etc/haproxy/country/MX.txt
+  acl MY src -f /etc/haproxy/country/MY.txt
+  acl MZ src -f /etc/haproxy/country/MZ.txt
+  acl NA src -f /etc/haproxy/country/NA.txt
+  acl NC src -f /etc/haproxy/country/NC.txt
+  acl NE src -f /etc/haproxy/country/NE.txt
+  acl NF src -f /etc/haproxy/country/NF.txt
+  acl NG src -f /etc/haproxy/country/NG.txt
+  acl NI src -f /etc/haproxy/country/NI.txt
+  acl NL src -f /etc/haproxy/country/NL.txt
+  acl NO src -f /etc/haproxy/country/NO.txt
+  acl NP src -f /etc/haproxy/country/NP.txt
+  acl NR src -f /etc/haproxy/country/NR.txt
+  acl NU src -f /etc/haproxy/country/NU.txt
+  acl NZ src -f /etc/haproxy/country/NZ.txt
+  acl OM src -f /etc/haproxy/country/OM.txt
+  acl PA src -f /etc/haproxy/country/PA.txt
+  acl PE src -f /etc/haproxy/country/PE.txt
+  acl PF src -f /etc/haproxy/country/PF.txt
+  acl PG src -f /etc/haproxy/country/PG.txt
+  acl PH src -f /etc/haproxy/country/PH.txt
+  acl PK src -f /etc/haproxy/country/PK.txt
+  acl PL src -f /etc/haproxy/country/PL.txt
+  acl PM src -f /etc/haproxy/country/PM.txt
+  acl PN src -f /etc/haproxy/country/PN.txt
+  acl PR src -f /etc/haproxy/country/PR.txt
+  acl PS src -f /etc/haproxy/country/PS.txt
+  acl PT src -f /etc/haproxy/country/PT.txt
+  acl PW src -f /etc/haproxy/country/PW.txt
+  acl PY src -f /etc/haproxy/country/PY.txt
+  acl QA src -f /etc/haproxy/country/QA.txt
+  acl RE src -f /etc/haproxy/country/RE.txt
+  acl RO src -f /etc/haproxy/country/RO.txt
+  acl RS src -f /etc/haproxy/country/RS.txt
+  acl RU src -f /etc/haproxy/country/RU.txt
+  acl RW src -f /etc/haproxy/country/RW.txt
+  acl SA src -f /etc/haproxy/country/SA.txt
+  acl SB src -f /etc/haproxy/country/SB.txt
+  acl SC src -f /etc/haproxy/country/SC.txt
+  acl SD src -f /etc/haproxy/country/SD.txt
+  acl SE src -f /etc/haproxy/country/SE.txt
+  acl SG src -f /etc/haproxy/country/SG.txt
+  acl SH src -f /etc/haproxy/country/SH.txt
+  acl SI src -f /etc/haproxy/country/SI.txt
+  acl SJ src -f /etc/haproxy/country/SJ.txt
+  acl SK src -f /etc/haproxy/country/SK.txt
+  acl SL src -f /etc/haproxy/country/SL.txt
+  acl SM src -f /etc/haproxy/country/SM.txt
+  acl SN src -f /etc/haproxy/country/SN.txt
+  acl SO src -f /etc/haproxy/country/SO.txt
+  acl SR src -f /etc/haproxy/country/SR.txt
+  acl SS src -f /etc/haproxy/country/SS.txt
+  acl ST src -f /etc/haproxy/country/ST.txt
+  acl SV src -f /etc/haproxy/country/SV.txt
+  acl SX src -f /etc/haproxy/country/SX.txt
+  acl SY src -f /etc/haproxy/country/SY.txt
+  acl SZ src -f /etc/haproxy/country/SZ.txt
+  acl TC src -f /etc/haproxy/country/TC.txt
+  acl TD src -f /etc/haproxy/country/TD.txt
+  acl TF src -f /etc/haproxy/country/TF.txt
+  acl TG src -f /etc/haproxy/country/TG.txt
+  acl TH src -f /etc/haproxy/country/TH.txt
+  acl TJ src -f /etc/haproxy/country/TJ.txt
+  acl TK src -f /etc/haproxy/country/TK.txt
+  acl TL src -f /etc/haproxy/country/TL.txt
+  acl TM src -f /etc/haproxy/country/TM.txt
+  acl TN src -f /etc/haproxy/country/TN.txt
+  acl TO src -f /etc/haproxy/country/TO.txt
+  acl TR src -f /etc/haproxy/country/TR.txt
+  acl TT src -f /etc/haproxy/country/TT.txt
+  acl TV src -f /etc/haproxy/country/TV.txt
+  acl TW src -f /etc/haproxy/country/TW.txt
+  acl TZ src -f /etc/haproxy/country/TZ.txt
+  acl UA src -f /etc/haproxy/country/UA.txt
+  acl UG src -f /etc/haproxy/country/UG.txt
+  acl UM src -f /etc/haproxy/country/UM.txt
+  acl US src -f /etc/haproxy/country/US.txt
+  acl UY src -f /etc/haproxy/country/UY.txt
+  acl UZ src -f /etc/haproxy/country/UZ.txt
+  acl VA src -f /etc/haproxy/country/VA.txt
+  acl VC src -f /etc/haproxy/country/VC.txt
+  acl VE src -f /etc/haproxy/country/VE.txt
+  acl VG src -f /etc/haproxy/country/VG.txt
+  acl VI src -f /etc/haproxy/country/VI.txt
+  acl VN src -f /etc/haproxy/country/VN.txt
+  acl VU src -f /etc/haproxy/country/VU.txt
+  acl WF src -f /etc/haproxy/country/WF.txt
+  acl WS src -f /etc/haproxy/country/WS.txt
+  acl XK src -f /etc/haproxy/country/XK.txt
+  acl YE src -f /etc/haproxy/country/YE.txt
+  acl YT src -f /etc/haproxy/country/YT.txt
+  acl ZA src -f /etc/haproxy/country/ZA.txt
+  acl ZM src -f /etc/haproxy/country/ZM.txt
+  acl ZW src -f /etc/haproxy/country/ZW.txt
+
+  # Redirect www to non-www domains
+  http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }
+
+  acl letsencrypt path_beg /.well-known/acme-challenge/
+  
+  acl laminar hdr(host) -i laminar.benoit.jp.net
+  acl forgejo hdr(host) -i forgejo.benoit.jp.net
+  #http-request deny if flux !JP !letsencrypt
+  #http-request deny if dns !JP !SG !letsencrypt
+  
+  use_backend letsencrypt if letsencrypt
+  use_backend laminar if laminar
+  use_backend forgejo if forgejo
+
+  default_backend default

04listen.cfg

@@ -0,0 +1,37 @@
+# Listens (frontend and backend combined)
+  listen ssh
+    bind :22
+    bind :::22 v6only
+      mode tcp
+      option tcplog
+    server git-ssh forgejo.incus:10022 send-proxy check
+#  listen smtp
+#    bind :25
+#    bind :::25 v6only
+#      mode tcp
+#      option tcplog
+#    server mail 10.78.127.231:10025 send-proxy
+#  listen smtps
+#    bind :465
+#    bind :::465 v6only
+#      mode tcp
+#      option tcplog
+#    server mail 10.78.127.231:10465 send-proxy
+#  listen imaps
+#    bind :993
+#    bind :::993 v6only
+#      mode tcp
+#      option tcplog
+#    server mail 10.78.127.231:10993 send-proxy
+#  listen sieve
+#    bind :4190
+#    bind :::4190 v6only
+#      mode tcp
+#      option tcplog
+#    server mail 10.78.127.231:14190 send-proxy
+#  listen adguard-dot
+#    bind :853
+#    bind :::853 v6only
+#      mode tcp
+#      option tcplog
+#    server adguard 10.78.127.201:10853 send-proxy

05backends.cfg

@@ -0,0 +1,26 @@
+# Backends
+backend default
+  tcp-request content reject
+
+backend letsencrypt
+  server certbot 127.0.0.1:8899
+
+backend laminar
+  # set HSTS for one year after all responses
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  # add some Security headers
+  http-response set-header X-Frame-Options "SAMEORIGIN"
+  http-response set-header X-Content-Type-Options "nosniff"
+  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
+  http-response set-header Cross-Origin-Resource-Policy "same-origin"
+  server laminar laminar.incus:8080 check
+
+backend forgejo
+  # set HSTS for one year after all responses
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  # add some Security headers
+  http-response set-header X-Frame-Options "SAMEORIGIN"
+  http-response set-header X-Content-Type-Options "nosniff"
+  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
+  http-response set-header Cross-Origin-Resource-Policy "same-origin"
+  server laminar forgejo.incus:3000 check

README.md

@@ -1,3 +1,10 @@
 # Haproxy
 
-Haproxy configuration files for my self-hosted setup.
+Haproxy configuration files for my self-hosted setup.
+
+`/etc/systemd/system/haproxy.service.d/override.conf`:
+
+```HAProxy
+[Service]
+Environment="CONFIG=/etc/haproxy/config"
+```