2021-08-25 04:33:56 +00:00
global
daemon
maxconn 1024
log 127.0.0.1 local0
stats timeout 30s
2021-08-26 05:09:42 +00:00
tune.ssl.default-dh-param 2048
2021-08-25 04:33:56 +00:00
defaults
2023-06-07 18:22:35 +00:00
log global
log /dev/log local0 notice
2021-08-25 04:33:56 +00:00
timeout connect 5s
2021-08-28 04:32:15 +00:00
timeout client 120s
timeout server 120s
2023-06-07 18:22:35 +00:00
timeout tunnel 1h
2021-08-25 04:33:56 +00:00
default-server init-addr last,none resolvers dns
resolvers dns
parse-resolv-conf
## FRONTENDS ##
# haproxy stuff
frontend http_management
bind *:8080
mode http
# redirects /status to haproxy monitor
monitor-uri /status
# redirects /stats to stats backend
acl prefixed-with-stats path_beg -i /stats
use_backend haproxy_stats if prefixed-with-stats
# redirects /metrics to metrics backend
acl prefixed-with-metrics path_beg -i /metrics
use_backend haproxy_metrics if prefixed-with-metrics
2023-06-07 18:22:35 +00:00
frontend http_in
bind *:80
mode http
# force https
redirect scheme https
2023-02-20 15:37:36 +00:00
# https frontend
2021-08-26 05:09:42 +00:00
frontend https_in
# backend is assumed to be http, perform ssl termination here
bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem alpn h2,http/1.1
2021-08-25 04:33:56 +00:00
2021-08-26 05:09:42 +00:00
mode http
2023-06-07 18:22:35 +00:00
option httplog
2021-08-25 04:33:56 +00:00
2021-08-28 04:32:15 +00:00
# set HSTS
http-response set-header Strict-Transport-Security "max-age = 15552000; includeSubDomains;"
2023-06-07 18:22:35 +00:00
# set X-Forward-For
2024-01-21 06:11:00 +00:00
http-request del-header x-forwarded-for
2023-06-07 18:22:35 +00:00
option forwardfor
2021-11-12 20:20:41 +00:00
# set X-Forwarded-Proto
2023-06-07 18:22:35 +00:00
http-request set-header X-Forwarded-Proto https
2021-11-12 20:20:41 +00:00
2023-06-09 05:11:35 +00:00
default_backend default_backend
2021-08-26 05:09:42 +00:00
{% for http_route in https_routing %}
2023-06-09 05:21:05 +00:00
use_backend https_{{ http_route.frontend[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.frontend %}{{ src }} {% endfor %}}{% if 'allowlist' in http_route %} { src {% for ip in http_route.allowlist %}{{ ip }} {% endfor %}}{% endif %}
2021-08-25 04:33:56 +00:00
{% endfor %}
## BACKENDS ##
2021-08-26 05:09:42 +00:00
# stat backend
2021-08-25 04:33:56 +00:00
backend haproxy_stats
mode http
stats uri /stats
stats enable
stats refresh 10s
stats auth admin:admin
2021-08-26 05:09:42 +00:00
# metric backend
2021-08-25 04:33:56 +00:00
backend haproxy_metrics
mode http
http-request use-service prometheus-exporter
2023-06-09 05:11:35 +00:00
backend default_backend
mode http
http-request deny deny_status 404
2021-08-26 05:09:42 +00:00
{% for http_route in https_routing %}
2023-02-20 15:37:36 +00:00
# backend for {{ ', '.join(http_route.frontend) }}
backend https_{{ http_route.frontend[0]|replace('.','_') }}
2021-08-26 05:09:42 +00:00
mode http
2021-08-25 04:33:56 +00:00
balance roundrobin
2023-02-20 15:37:36 +00:00
{% for dst in http_route.backend %}
2023-06-09 05:21:05 +00:00
server {{ dst.server }} {{ dst.server }}{% if ':' not in dst.server %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2,http/1.1{% endif %} {{ dst.extra_param|default('') }}
2021-08-26 05:09:42 +00:00
{% endfor %}
2021-12-17 23:17:18 +00:00
2021-08-26 05:09:42 +00:00
{% endfor %}
## TCP ##
2023-06-09 05:21:05 +00:00
2021-08-26 05:09:42 +00:00
{% for tcp_route in tcp_routing %}
2023-02-20 15:37:36 +00:00
frontend tcp_{{ tcp_route.frontend }}
bind *:{{ tcp_route.frontend }}
2021-08-26 05:09:42 +00:00
mode tcp
2023-02-20 15:37:36 +00:00
use_backend tcp_{{ tcp_route.frontend }}
2021-08-26 05:09:42 +00:00
2023-02-20 15:37:36 +00:00
backend tcp_{{ tcp_route.frontend }}
2021-08-26 05:09:42 +00:00
mode tcp
2023-02-20 15:37:36 +00:00
{% for dst in tcp_route.backend %}
2022-08-29 01:25:27 +00:00
server {{ dst.server }} {{ dst.server }} check {{ dst.extra_param|default('') }}
2021-08-25 04:33:56 +00:00
{% endfor %}
{% endfor %}
