Dies ist eine alte Version des Dokuments!
aktuelle config <file bash> global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
setenv ACCOUNT_THUMBPRINT 'yp_9Dhn0bhtiVBFoOeA87LcStinMH6X7x6ARTtwSwdY'
# Default SSL material locations
# ca-base /etc/ssl/certs
# crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend Statistiken # bind *:8443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
bind *:8443
mode http
option httplog
maxconn 5
stats enable
stats show-legends
stats hide-version
stats refresh 60s
stats show-node
stats uri /
frontend web
bind [::]:80 v4v6
# bind [::]:443 ssl crt /etc/ssl/haproxy/schubert.home.combined.pem
bind [::]:443 ssl crt /etc/ssl/letsencrypt/letsencrypt-combine.pem
# bind :443 ssl crt /etc/haproxy/certs/ strict-sni
acl lets_encrypt path_beg /.well-known/acme-challenge/ use_backend lets_encrypt if lets_encrypt
acl url_discovery path /.well-known/caldav /.well-known/carddav
http-request redirect location /remote.php/dav/ code 301 if url_discovery
http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
# Umschalten zu https
redirect scheme https code 301 if !{ ssl_fc }
# acl pro hostname
acl host_wiki hdr(host) -i wiki.schubert.home acl host_wiki hdr(host) -i wiki.bamasch.de acl host_nc hdr(host) -i nc.schubert-waltringen.de:444 acl host_nc hdr(host) -i nc.schubert.home acl host_nc hdr(host) -i oc.bamasch.de use_backend wiki-backend if host_wiki use_backend nc-backend if host_nc
backend wiki-backend # mode http
balance roundrobin
# option httpchk GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1\r\nHost:\ wiki.schubert.home
option forwardfor header X-Client
http-check expect status 200
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# server wiki.schubert-home-be 192.168.16.173:80 maxconn 32 check verify none
server wiki.schubert.home-be 192.168.16.173:443 ssl verify none check check-sni wiki.schubert.home sni ssl_fc_sni inter 3s rise 2 fall 3
backend nc-backend
mode http
http-request set-header X-Client-IP %[src]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-response set-header Strict-Transport-Security max-age=63072000
http-response set-header X-Content-Type-Options nosniff
http-response set-header X-Robots-Tag noindex,nofollow
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Permitted-Cross-Domain-Policies none
http-response set-header X-XSS-Protection "1; mode=block"
http-response set-header Referrer-Policy no-referrer
balance roundrobin
# server nc-backend 192.168.16.71:80 check maxconn 5000 send-proxy-v2 # server nc-backend 192.168.16.173:80 check maxconn 5000
server oc.schubert.home-be 192.168.16.173:443 ssl verify none check check-sni oc.bamasch.de sni ssl_fc_sni inter 3s rise 2 fall 3
backend lets_encrypt
mode http server local localhost:60001