85 lines
2.7 KiB
Django/Jinja
85 lines
2.7 KiB
Django/Jinja
global
|
|
log /dev/log local1 notice
|
|
chroot /var/lib/haproxy
|
|
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
|
stats timeout 300s
|
|
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
ulimit-n 120041
|
|
maxconn 60000
|
|
pidfile /var/run/haproxy.pid
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384
|
|
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
|
|
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
|
|
ssl-dh-param-file /etc/haproxy/dhparam.pem
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
retries 3
|
|
|
|
option httplog
|
|
option dontlognull
|
|
option redispatch
|
|
option forwardfor except 127.0.0.1
|
|
|
|
timeout http-request 10s
|
|
timeout check 10s
|
|
timeout client 60s
|
|
timeout connect 10s
|
|
timeout server 60s
|
|
|
|
maxconn 60000
|
|
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
# The web frontend
|
|
|
|
frontend http_https
|
|
bind :80 accept-proxy
|
|
bind :443 accept-proxy ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
|
|
|
|
http-request set-header X-Port %[dst_port]
|
|
http-request set-header X-Real-Ip %[src]
|
|
http-request set-header X-Orig-URL %[req.hdr(Host)]%[url]
|
|
http-request set-header X-Proto SSL if { ssl_fc }
|
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
|
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
|
|
|
|
# Redirect if HTTPS is *not* used
|
|
redirect scheme https code 301 if !{ ssl_fc }
|
|
|
|
# Test URI to see if its a letsencrypt request
|
|
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
|
|
use_backend letsencrypt if letsencrypt-acl
|
|
|
|
# Gitea
|
|
acl git-ansol-org hdr(host) -i git.ansol.org
|
|
use_backend git-ansol-org if git-ansol-org
|
|
|
|
# Let's Encrypt
|
|
|
|
backend letsencrypt
|
|
server letsencrypt 127.0.0.1:8888
|
|
|
|
# Gitea
|
|
|
|
backend git-ansol-org
|
|
server git-ansol-org gitea:3000 check
|