global log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 300s user haproxy group haproxy daemon ulimit-n 120041 maxconn 60000 pidfile /var/run/haproxy.pid # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem ssl-dh-param-file /etc/haproxy/dhparam.pem defaults log global mode http retries 3 option httplog option dontlognull option redispatch option forwardfor except 127.0.0.1 timeout http-request 10s timeout check 10s timeout client 60s timeout connect 10s timeout server 60s maxconn 60000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http # The web frontend frontend http_https bind :80 accept-proxy bind :443 accept-proxy ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 http-request set-header X-Port %[dst_port] http-request set-header X-Real-Ip %[src] http-request set-header X-Orig-URL %[req.hdr(Host)]%[url] http-request set-header X-Proto SSL if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" # Redirect if HTTPS is *not* used redirect scheme https code 301 if !{ ssl_fc } # Test URI to see if its a letsencrypt request acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt if letsencrypt-acl # Gitea acl git-ansol-org hdr(host) -i git.ansol.org use_backend git-ansol-org if git-ansol-org # Freescout acl freescout hdr(host) -i inbox.ansol.org use_backend freescout if freescout # Pretalx acl pretalx hdr(host) -i manage.ubucon.org use_backend pretalx if pretalx # Listas acl listas_ansol hdr(host) -i listas.ansol.org use_backend listas_ansol if listas_ansol # Let's Encrypt backend letsencrypt server letsencrypt 127.0.0.1:8888 # Gitea backend git-ansol-org server git-ansol-org gitea:3000 check # Freescout backend freescout server freescout freescout:80 check # Pretalx backend pretalx server pretalx 10.81.14.52:80 check # Listas backend listas_ansol server listas_ansol kpn0.netureza.pt:80 check