Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- haproxy.cfg [2025/04/06 03:12] – angelegt admin
+++ haproxy.cfg [2025/04/06 03:21] (aktuell) – admin
@@ Zeile 1: / Zeile 1: @@
 **aktuelle config**
+<file bash /etc/haconfig/haconfig.cfg>
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+	setenv ACCOUNT_THUMBPRINT 'yp_9Dhn0bhtiVBFoOeA87LcStinMH6X7x6ARTtwSwdY'
+	# Default SSL material locations
+  #	ca-base /etc/ssl/certs
+  #	crt-base /etc/ssl/private
+	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+ defaults
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+        option  forwardfor
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+ frontend Statistiken
+ #        bind   *:8443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
+        bind   *:8443
+        mode   http
+        option httplog
+        maxconn 5
+        stats enable
+        stats show-legends
+        stats hide-version
+        stats refresh 60s
+        stats show-node
+        stats uri /
+ frontend web
+	bind [::]:80 v4v6
+ #	bind [::]:443 ssl crt /etc/ssl/haproxy/schubert.home.combined.pem
+	bind [::]:443 ssl crt /etc/ssl/letsencrypt/letsencrypt-combine.pem
+ #	bind :443 ssl crt /etc/haproxy/certs/ strict-sni
+	acl lets_encrypt path_beg /.well-known/acme-challenge/
+	use_backend lets_encrypt if lets_encrypt
+ 	acl url_discovery path /.well-known/caldav /.well-known/carddav
+        http-request redirect location /remote.php/dav/ code 301 if url_discovery
+	http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
+ #	Umschalten zu https
+        redirect scheme https code 301 if !{ ssl_fc }
+ #	acl pro hostname
+	acl host_wiki hdr(host) -i wiki.schubert.home
+	acl host_wiki hdr(host) -i wiki.bamasch.de
+	acl host_nc hdr(host) -i nc.schubert-waltringen.de:444
+	acl host_nc hdr(host) -i nc.schubert.home
+	acl host_nc hdr(host) -i oc.bamasch.de
+	use_backend wiki-backend if host_wiki
+	use_backend nc-backend if host_nc
+ backend wiki-backend
+ #	mode http
+	balance roundrobin
+ #    option httpchk GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1\r\nHost:\ wiki.schubert.home
+	option forwardfor header X-Client
+	http-check expect status 200
+	http-request add-header X-Forwarded-Proto https if { ssl_fc }
+ #	server wiki.schubert-home-be 192.168.16.173:80 maxconn 32 check verify none
+    	server wiki.schubert.home-be 192.168.16.173:443 ssl verify none check check-sni wiki.schubert.home sni ssl_fc_sni inter 3s rise 2 fall 3
+ backend nc-backend
+	mode http
+	http-request set-header X-Client-IP %[src]
+	http-request add-header X-Forwarded-Proto https if { ssl_fc }
+	http-response set-header Strict-Transport-Security max-age=63072000
+	http-response set-header X-Content-Type-Options nosniff
+	http-response set-header X-Robots-Tag noindex,nofollow
+	http-response set-header X-Frame-Options SAMEORIGIN
+	http-response set-header X-Permitted-Cross-Domain-Policies none
+	http-response set-header X-XSS-Protection "1; mode=block"
+	http-response set-header Referrer-Policy no-referrer
+	balance roundrobin
+ #	server nc-backend 192.168.16.71:80 check maxconn 5000 send-proxy-v2
+ #	server nc-backend 192.168.16.173:80 check maxconn 5000
+    	server oc.schubert.home-be 192.168.16.173:443 ssl verify none check check-sni oc.bamasch.de sni ssl_fc_sni inter 3s rise 2 fall 3
+ backend lets_encrypt
+	mode http
+	server local localhost:60001
+</file>