Benoit/pyinfra-lxd
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2025-02-14. You can view files and clone it, but cannot push or open issues or pull requests.
pyinfra-lxd/files/haproxy.cfg
Benoit S 3847f18792 Init
2021-01-30 20:11:28 +09:00

89 lines
3.2 KiB
INI
Raw Permalink Blame History

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/haproxy/dhparam
ssl-dh-param-file /etc/haproxy/dhparam
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend gitea-ssh
mode tcp
bind :22
bind :::22 v6only
default_backend gitea-ssh
backend gitea-ssh
mode tcp
server gitea 127.0.0.1:2222 check send-proxy
frontend default
bind :80
bind :::80 v6only
bind :443 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
bind :::443 v6only ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
# HSTS (15768000 seconds = 6 months)
http-response set-header Strict-Transport-Security max-age=15768000
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
# Let's Encrypt
acl letsencrypt path_dir -i /.well-known/acme-challenge
use_backend localhost if letsencrypt
# mo-f.fr
acl mof hdr_end(host) -i mo-f.fr
use_backend mof if mof
# play.benpro.fr
acl play hdr(host) -i play.benpro.fr
use_backend play if play
#default_backend localhost
backend localhost
option forwardfor
server localhost 127.0.0.1:8080 check send-proxy
backend mof
# Benhind CloudFlare, X-Forwarded-For always setted, do not override
option forwardfor if-none
redirect scheme https if !{ ssl_fc }
server mof 127.0.0.1:8081 check
backend play
option forwardfor
redirect scheme https if !{ ssl_fc }
server play 127.0.0.1:8096 check
Reference in a new issue View git blame Copy permalink