97 lines
3.2 KiB
INI
97 lines
3.2 KiB
INI
global
|
|
maxconn 4096
|
|
user root
|
|
group root
|
|
daemon
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
ssl-default-bind-options no-sslv3 no-tls-tickets
|
|
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
balance roundrobin
|
|
maxconn 1024
|
|
|
|
# This breaks HTTP2
|
|
# option abortonclose
|
|
option httpclose
|
|
option forwardfor
|
|
|
|
retries 3
|
|
option redispatch
|
|
|
|
timeout client 30s
|
|
timeout connect 30s
|
|
timeout server 30s
|
|
|
|
#option httpchk HEAD /haproxy?monitor HTTP/1.0
|
|
#timeout check 5s
|
|
#stats enable
|
|
#stats uri /haproxy?stats
|
|
#stats realm Haproxy\ Statistics
|
|
#stats auth admin:yourpasswordhere
|
|
#stats refresh 5s
|
|
|
|
cache mapscache
|
|
total-max-size 1023 # MB
|
|
max-object-size 10000 # bytes
|
|
max-age 30 # seconds
|
|
|
|
frontend http
|
|
bind :80
|
|
option http-server-close
|
|
redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
|
|
default_backend certbot
|
|
|
|
backend certbot
|
|
server c1 certbot:80
|
|
|
|
frontend https
|
|
bind :443 ssl crt /certificates alpn http/1.1
|
|
|
|
# CORS
|
|
http-response set-header Access-Control-Allow-Origin "*"
|
|
http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
|
|
http-response set-header Access-Control-Max-Age 3628800
|
|
http-response set-header Access-Control-Allow-Methods "GET"
|
|
|
|
# SNI ACLs
|
|
acl is_forestnet ssl_fc_sni -i forest.deflax.net
|
|
acl is_forestdb ssl_fc_sni -i db.forest.deflax.net
|
|
acl is_osmap ssl_fc_sni -i map.deflax.net
|
|
|
|
# IP ACls
|
|
acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
|
|
|
|
http-request deny if is_forestdb !is_allowed
|
|
|
|
http-request set-header X-Forwarded-Protocol https
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-request set-header X-Forwarded-Ssl on
|
|
http-request set-header X-Url-Scheme https
|
|
http-request set-header Host %[ssl_fc_sni]
|
|
|
|
use_backend forestnet if is_forestnet
|
|
use_backend forestdb if is_forestdb
|
|
use_backend osmap if is_osmap
|
|
|
|
backend osmap
|
|
# Get from cache / put in cache
|
|
http-request cache-use mapscache
|
|
http-response cache-store mapscache
|
|
# server list
|
|
server s1 osmtile:80 check
|
|
|
|
backend forestnet
|
|
# server list
|
|
server s1 flask:5000 check
|
|
|
|
backend forestdb
|
|
server s1 pgadmin:80 check
|
|
|
|
#backend docs.deflax.net
|
|
# # server list
|
|
# server s1 swagger:80 check
|