global daemon maxconn 1024 log 127.0.0.1 local0 stats timeout 30s tune.ssl.default-dh-param 2048 defaults timeout connect 5s timeout client 120s timeout server 120s log global default-server init-addr last,none resolvers dns resolvers dns parse-resolv-conf ## FRONTENDS ## # haproxy stuff frontend http_management bind *:8080 mode http # redirects /status to haproxy monitor monitor-uri /status # redirects /stats to stats backend acl prefixed-with-stats path_beg -i /stats use_backend haproxy_stats if prefixed-with-stats # redirects /metrics to metrics backend acl prefixed-with-metrics path_beg -i /metrics use_backend haproxy_metrics if prefixed-with-metrics # http frontend frontend https_in bind *:80 # backend is assumed to be http, perform ssl termination here bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem alpn h2,http/1.1 mode http option forwardfor # force https http-request redirect scheme https unless { ssl_fc } # set HSTS http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains;" # set X-Forwarded-Proto http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } # request is ssl # tcp-request inspect-delay 5s # tcp-request content accept if { req.ssl_hello_type 1 } {% for http_route in https_routing %} #use_backend https_{{ http_route.src[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.src %}{{ src }} {% endfor %}} use_backend https_{{ http_route.src[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.src %}{{ src }} {% endfor %}} {% endfor %} ## BACKENDS ## # stat backend backend haproxy_stats mode http stats uri /stats stats enable stats refresh 10s stats auth admin:admin # metric backend backend haproxy_metrics mode http http-request use-service prometheus-exporter {% for http_route in https_routing %} # backend for {{ ', '.join(http_route.src) }} backend https_{{ http_route.src[0]|replace('.','_') }} mode http balance roundrobin {% for dst in http_route.dst %} server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %} {% endfor %} {% endfor %} ## TCP ## {% for tcp_route in tcp_routing %} frontend tcp_{{ tcp_route.src }} bind *:{{ tcp_route.src }} mode tcp use_backend tcp_{{ tcp_route.src }} backend tcp_{{ tcp_route.src }} mode tcp {% for dst in tcp_route.dst %} server {{ dst }} {{ dst }} check {% endfor %} {% endfor %}