50 lines
2.3 KiB
INI
50 lines
2.3 KiB
INI
global
|
|
daemon
|
|
maxconn 200
|
|
log stdout format raw local0
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-bind-options prefer-client-ciphers no-tls-tickets ssl-min-ver TLSv1.3
|
|
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-server-options no-tls-tickets ssl-min-ver TLSv1.3
|
|
|
|
defaults generic_defaults
|
|
log global
|
|
maxconn 50
|
|
|
|
# Irrelevant on frontends
|
|
timeout connect 5s
|
|
timeout server 5s
|
|
|
|
# Irrelevant on backends
|
|
timeout client 30s
|
|
|
|
defaults http_defaults from generic_defaults
|
|
mode http
|
|
option forwardfor
|
|
option httplog
|
|
|
|
frontend fe_stats from http_defaults
|
|
bind :"${STATS_PORT-61000}"
|
|
stats enable
|
|
stats uri /
|
|
stats refresh 10s
|
|
acl ips_allowed src 10.10.10.0/24 10.10.1.0/24
|
|
http-request deny if !ips_allowed
|
|
|
|
frontend fe_https-proxy from http_defaults
|
|
bind :80
|
|
bind :443 ssl strict-sni crt /usr/local/etc/haproxy/certs alpn h2,http/1.1
|
|
redirect scheme https code 301 if !{ ssl_fc }
|
|
http-response set-header Strict-Transport-Security max-age=63072000
|
|
use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/hosts.map,be_no-match)]
|
|
|
|
backend be_example.net from http_defaults
|
|
compression algo gzip
|
|
compression type text/plain text/css
|
|
option httpchk
|
|
http-check send meth HEAD uri /status hdr Host example.net hdr User-Agent "${HEALTH_CHECK_USER_AGENT-HAProxy} health check"
|
|
server nextcloud-loft example.net:8080 check inter 10s fall 3 rise 3
|
|
|
|
backend be_no-match from http_defaults
|
|
http-request deny deny_status 404
|