-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathhaproxy.cfg
More file actions
52 lines (43 loc) · 1.59 KB
/
haproxy.cfg
File metadata and controls
52 lines (43 loc) · 1.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
global
#stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
#user haproxy
#group haproxy
#daemon
stats socket /var/run/haproxy.sock mode 660 level admin expose-fd listeners
stats socket ipv4@127.0.0.1:9999 level admin
stats timeout 2m
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
# TODO: Limiting to "nbthread 1" doesnt work when /opt/generate-cert/create-cert.sh is forked. The connection to haproxy stats socket doesnt work (via unix-socket and also via tcp socket)
#nbthread 1
lua-load /etc/haproxy/lua_files/on_the_fly_cert.lua
insecure-fork-wanted
defaults
log global
mode http
#option httplog
option dontlognull
timeout connect 20s
timeout client 50s
timeout server 60s
frontend fe_passtrough
mode tcp
bind *:443
tcp-request inspect-delay 10s
tcp-request content reject if ! { req_ssl_hello_type 1 } # Needed, otherwise txn.sf:req_ssl_sni() is empty in lua script
tcp-request content reject if ! { req_ssl_sni -m found }
tcp-request content lua.cert_otf
default_backend be_pipe
backend be_pipe
mode tcp
server haproxy 127.0.0.1:44300 send-proxy
frontend fe
mode http
bind *:44300 accept-proxy ssl crt /etc/haproxy/certs
bind *:44301 accept-proxy
bind *:44400 # Port without PROXY Protocol, for debugging purposes
default_backend be
backend be
mode http
server apache apache:80