global maxconn 4096 user root group root daemon tune.ssl.default-dh-param 2048 ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA defaults log global mode http balance roundrobin maxconn 1024 # This breaks HTTP2 # option abortonclose option httpclose option forwardfor retries 3 option redispatch timeout client 30s timeout connect 30s timeout server 30s #option httpchk HEAD /haproxy?monitor HTTP/1.0 #timeout check 5s #stats enable #stats uri /haproxy?stats #stats realm Haproxy\ Statistics #stats auth admin:yourpasswordhere #stats refresh 5s cache mapscache total-max-size 1023 # MB max-object-size 10000 # bytes max-age 30 # seconds frontend http bind :80 option http-server-close redirect scheme https if ! { path_beg -i /.well-known/acme-challenge } default_backend certbot backend certbot server c1 certbot:80 frontend https bind :443 ssl crt /certificates alpn http/1.1 # CORS http-response set-header Access-Control-Allow-Origin "*" http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId" http-response set-header Access-Control-Max-Age 3628800 http-response set-header Access-Control-Allow-Methods "GET" # SNI ACLs acl is_forestnet ssl_fc_sni -i forest.deflax.net acl is_forestdb ssl_fc_sni -i db.forest.deflax.net acl is_osmap ssl_fc_sni -i map.deflax.net # IP ACls acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl http-request deny if is_forestdb !is_allowed http-request set-header X-Forwarded-Protocol https http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Ssl on http-request set-header X-Url-Scheme https http-request set-header Host %[ssl_fc_sni] use_backend forestnet if is_forestnet use_backend forestdb if is_forestdb use_backend osmap if is_osmap backend osmap # Get from cache / put in cache http-request cache-use mapscache http-response cache-store mapscache # server list server s1 osmtile:80 check backend forestnet # server list server s1 flask:5000 check backend forestdb server s1 pgadmin:80 check #backend docs.deflax.net # # server list # server s1 swagger:80 check