106 lines
2.7 KiB
INI
106 lines
2.7 KiB
INI
global
|
|
daemon
|
|
maxconn 1024
|
|
log 127.0.0.1 local0
|
|
stats timeout 30s
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
defaults
|
|
timeout connect 5s
|
|
timeout client 120s
|
|
timeout server 120s
|
|
log global
|
|
|
|
default-server init-addr last,none resolvers dns
|
|
|
|
resolvers dns
|
|
parse-resolv-conf
|
|
|
|
## FRONTENDS ##
|
|
|
|
# haproxy stuff
|
|
frontend http_management
|
|
bind *:8080
|
|
mode http
|
|
|
|
# redirects /status to haproxy monitor
|
|
monitor-uri /status
|
|
|
|
# redirects /stats to stats backend
|
|
acl prefixed-with-stats path_beg -i /stats
|
|
use_backend haproxy_stats if prefixed-with-stats
|
|
|
|
# redirects /metrics to metrics backend
|
|
acl prefixed-with-metrics path_beg -i /metrics
|
|
use_backend haproxy_metrics if prefixed-with-metrics
|
|
|
|
# http frontend
|
|
frontend https_in
|
|
bind *:80
|
|
# backend is assumed to be http, perform ssl termination here
|
|
bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem alpn h2,http/1.1
|
|
|
|
mode http
|
|
option forwardfor
|
|
|
|
# force https
|
|
http-request redirect scheme https unless { ssl_fc }
|
|
|
|
# set HSTS
|
|
http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains;"
|
|
|
|
# set X-Forwarded-Proto
|
|
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
|
|
|
# request is ssl
|
|
# tcp-request inspect-delay 5s
|
|
# tcp-request content accept if { req.ssl_hello_type 1 }
|
|
|
|
{% for http_route in https_routing %}
|
|
#use_backend https_{{ http_route.src[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.src %}{{ src }} {% endfor %}}
|
|
use_backend https_{{ http_route.src[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.src %}{{ src }} {% endfor %}}
|
|
{% endfor %}
|
|
|
|
## BACKENDS ##
|
|
|
|
# stat backend
|
|
backend haproxy_stats
|
|
mode http
|
|
stats uri /stats
|
|
stats enable
|
|
stats refresh 10s
|
|
stats auth admin:admin
|
|
|
|
# metric backend
|
|
backend haproxy_metrics
|
|
mode http
|
|
http-request use-service prometheus-exporter
|
|
|
|
{% for http_route in https_routing %}
|
|
# backend for {{ ', '.join(http_route.src) }}
|
|
backend https_{{ http_route.src[0]|replace('.','_') }}
|
|
mode http
|
|
balance roundrobin
|
|
{% for dst in http_route.dst %}
|
|
server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %}
|
|
|
|
{% endfor %}
|
|
|
|
{% endfor %}
|
|
|
|
## TCP ##
|
|
{% for tcp_route in tcp_routing %}
|
|
frontend tcp_{{ tcp_route.src }}
|
|
bind *:{{ tcp_route.src }}
|
|
mode tcp
|
|
use_backend tcp_{{ tcp_route.src }}
|
|
|
|
backend tcp_{{ tcp_route.src }}
|
|
mode tcp
|
|
{% for dst in tcp_route.dst %}
|
|
server {{ dst }} {{ dst }} check
|
|
{% endfor %}
|
|
{% endfor %}
|