78 lines
2.9 KiB
INI
78 lines
2.9 KiB
INI
global
|
|
maxconn 4096
|
|
user root
|
|
group root
|
|
daemon
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
defaults
|
|
#log stdout format raw local0 debug
|
|
log stdout format raw local0 notice
|
|
mode http
|
|
balance roundrobin
|
|
maxconn 1024
|
|
|
|
timeout client 30s
|
|
timeout connect 30s
|
|
timeout server 30s
|
|
|
|
#option httpchk HEAD /haproxy?monitor HTTP/1.0
|
|
#timeout check 5s
|
|
#stats enable
|
|
#stats uri /haproxy?stats
|
|
#stats realm Haproxy\ Statistics
|
|
#stats auth admin:yourpasswordhere
|
|
#stats refresh 5s
|
|
|
|
# PUBLIC
|
|
frontend web
|
|
option tcplog
|
|
bind :80
|
|
bind :443 ssl crt /certificates strict-sni
|
|
|
|
tcp-request inspect-delay 5s
|
|
tcp-request content accept if { req_ssl_hello_type 1 }
|
|
|
|
http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
|
|
http-request redirect scheme https code 301 unless { ssl_fc }
|
|
|
|
http-request set-header X-Forwarded-Protocol https
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-request set-header X-Forwarded-Ssl on
|
|
http-request set-header X-Url-Scheme https
|
|
http-request set-header Host %[ssl_fc_sni]
|
|
|
|
# Set X-Forwarded-For only for requests from Cloudflare
|
|
acl from_cf src -f /usr/local/etc/haproxy/cloudflare_ips.lst
|
|
acl cf_ip_hdr req.hdr(CF-Connecting-IP) -m found
|
|
http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr
|
|
|
|
# CORS
|
|
http-response set-header Access-Control-Allow-Origin "*"
|
|
http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
|
|
http-response set-header Access-Control-Max-Age 3628800
|
|
http-response set-header Access-Control-Allow-Methods "GET"
|
|
|
|
# max-age is mandatory. 16000000 seconds is approximately 6 months. Use a low value during testing.
|
|
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
|
|
|
|
# ACLS
|
|
acl is_base ssl_fc_sni -i "${BASE_URL}"
|
|
acl is_stream ssl_fc_sni -i "stream.${BASE_URL}"
|
|
|
|
# Router
|
|
use_backend backend_api if is_base
|
|
use_backend backend_restreamer if is_stream
|
|
|
|
backend backend_api
|
|
balance leastconn
|
|
server api1 api:8080 check inter 5s rise 4 fall 2
|
|
|
|
backend backend_restreamer
|
|
balance leastconn
|
|
server restreamer1 restreamer:8080 check inter 5s rise 4 fall 2
|