haproxy.cfg
aktuelle config
- /etc/haconfig/haconfig.cfg
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon setenv ACCOUNT_THUMBPRINT 'yp_9Dhn0bhtiVBFoOeA87LcStinMH6X7x6ARTtwSwdY' # Default SSL material locations # ca-base /etc/ssl/certs # crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull option forwardfor timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend Statistiken # bind *:8443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 bind *:8443 mode http option httplog maxconn 5 stats enable stats show-legends stats hide-version stats refresh 60s stats show-node stats uri / frontend web bind [::]:80 v4v6 # bind [::]:443 ssl crt /etc/ssl/haproxy/schubert.home.combined.pem bind [::]:443 ssl crt /etc/ssl/letsencrypt/letsencrypt-combine.pem # bind :443 ssl crt /etc/haproxy/certs/ strict-sni acl lets_encrypt path_beg /.well-known/acme-challenge/ use_backend lets_encrypt if lets_encrypt acl url_discovery path /.well-known/caldav /.well-known/carddav http-request redirect location /remote.php/dav/ code 301 if url_discovery http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' } # Umschalten zu https redirect scheme https code 301 if !{ ssl_fc } # acl pro hostname acl host_wiki hdr(host) -i wiki.schubert.home acl host_wiki hdr(host) -i wiki.bamasch.de acl host_nc hdr(host) -i nc.schubert-waltringen.de:444 acl host_nc hdr(host) -i nc.schubert.home acl host_nc hdr(host) -i oc.bamasch.de use_backend wiki-backend if host_wiki use_backend nc-backend if host_nc backend wiki-backend # mode http balance roundrobin # option httpchk GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1\r\nHost:\ wiki.schubert.home option forwardfor header X-Client http-check expect status 200 http-request add-header X-Forwarded-Proto https if { ssl_fc } # server wiki.schubert-home-be 192.168.16.173:80 maxconn 32 check verify none server wiki.schubert.home-be 192.168.16.173:443 ssl verify none check check-sni wiki.schubert.home sni ssl_fc_sni inter 3s rise 2 fall 3 backend nc-backend mode http http-request set-header X-Client-IP %[src] http-request add-header X-Forwarded-Proto https if { ssl_fc } http-response set-header Strict-Transport-Security max-age=63072000 http-response set-header X-Content-Type-Options nosniff http-response set-header X-Robots-Tag noindex,nofollow http-response set-header X-Frame-Options SAMEORIGIN http-response set-header X-Permitted-Cross-Domain-Policies none http-response set-header X-XSS-Protection "1; mode=block" http-response set-header Referrer-Policy no-referrer balance roundrobin # server nc-backend 192.168.16.71:80 check maxconn 5000 send-proxy-v2 # server nc-backend 192.168.16.173:80 check maxconn 5000 server oc.schubert.home-be 192.168.16.173:443 ssl verify none check check-sni oc.bamasch.de sni ssl_fc_sni inter 3s rise 2 fall 3 backend lets_encrypt mode http server local localhost:60001
haproxy.cfg.txt · Zuletzt geändert: von admin