billisdead/n8n-mobile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ajout de http cats (avec adaptation selinux en parallèle)

Browse Source
This commit is contained in:
billisdead
2026-01-13 11:10:57 +01:00
parent 4ab26dfed0
commit 448e490952
1 changed files with 56 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
haproxy.cfg
+56 -36
View File
@@ -1,7 +1,7 @@
global global
lua-load /etc/haproxy/cors/cors.lua lua-load /etc/haproxy/cors/cors.lua
#log /dev/log local0 log /dev/log local0
#log /dev/log local1 notice log /dev/log local1 notice
log 127.0.0.1 local2 log 127.0.0.1 local2
log-send-hostname log-send-hostname
chroot /var/lib/haproxy chroot /var/lib/haproxy
@@ -13,19 +13,19 @@ global
group haproxy group haproxy
daemon daemon
# Default SSL material locations # Default SSL material locations
ca-base /etc/ssl/certs ca-base /etc/ssl/certs
crt-base /etc/ssl/private crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. # Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from: # For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from # An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS #ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
#ssl-default-bind-options no-sslv3 #ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
# intermediate configuration # intermediate configuration
ssl-default-bind-curves X25519:prime256v1:secp384r1 ssl-default-bind-curves X25519:prime256v1:secp384r1
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
@@ -35,12 +35,6 @@ global
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
#ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
#ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
#ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults defaults
log global log global
@@ -52,13 +46,16 @@ defaults
timeout server 600s timeout server 600s
timeout http-request 5s timeout http-request 5s
option http-buffer-request option http-buffer-request
# errorfile 400 /etc/haproxy/errors/400.http
# errorfile 403 /etc/haproxy/errors/403.http
# errorfile 408 /etc/haproxy/errors/408.http http-errors kitties
# errorfile 500 /etc/haproxy/errors/500.http errorfile 400 /etc/haproxy/http-cat-errors/400.http
# errorfile 502 /etc/haproxy/errors/502.http errorfile 403 /etc/haproxy/http-cat-errors/403.http
# errorfile 503 /etc/haproxy/errors/503.http errorfile 408 /etc/haproxy/http-cat-errors/408.http
# errorfile 504 /etc/haproxy/errors/504.http errorfile 500 /etc/haproxy/http-cat-errors/500.http
errorfile 502 /etc/haproxy/http-cat-errors/502.http
errorfile 503 /etc/haproxy/http-cat-errors/503.http
errorfile 504 /etc/haproxy/http-cat-errors/504.http
userlist admin-ghost userlist admin-ghost
group is-admin group is-admin
@@ -95,6 +92,18 @@ frontend https
http-request track-sc0 src table per_ip_rates http-request track-sc0 src table per_ip_rates
http-request silent-drop if { sc_http_req_rate(0) gt 100 } http-request silent-drop if { sc_http_req_rate(0) gt 100 }
# config httpcats
errorfiles kitties
http-response return status 400 default-errorfiles if { status 400 }
http-response return status 401 default-errorfiles if { status 401 }
http-response return status 403 default-errorfiles if { status 403 }
http-response return status 404 default-errorfiles if { status 404 }
http-response return status 408 default-errorfiles if { status 408 }
http-response return status 500 default-errorfiles if { status 500 }
http-response return status 502 default-errorfiles if { status 502 }
http-response return status 503 default-errorfiles if { status 503 }
http-response return status 504 default-errorfiles if { status 504 }
## config antiDDOS ## config antiDDOS
# Suivi du taux de requêtes par IP # Suivi du taux de requêtes par IP
stick-table type ip size 1m expire 10m store http_req_rate(10s) stick-table type ip size 1m expire 10m store http_req_rate(10s)
@@ -200,10 +209,6 @@ backend boudoir-backend
# Deny /ghost/ hors IP white # Deny /ghost/ hors IP white
http-request deny if ghost_path !is_whitelisted_full http-request deny if ghost_path !is_whitelisted_full
# Auth basique pour /ghost/ (toujours demandée si pas IP white, mais safe)
# http-request auth realm "Ghost Admin" unless admin_auth if ghost_path
# Bloque /ghost/ hors votre IP (sécurisé, simple)
server boudoir 192.168.1.57:2368 check server boudoir 192.168.1.57:2368 check
@@ -238,15 +243,30 @@ backend hass-backend
backend cms backend cms
#server cms 192.168.1.101:80 #server cms 192.168.1.101:80
acl ghost_path path_beg /ghost/
acl is_whitelisted src 82.67.3.126/32
acl is_lan src 192.168.1.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis)
acl is_lan2 src 192.168.2.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis)
acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24 # Combine
acl admin_auth http_auth_group(admin-ghost) is-admin
# Deny /ghost/ hors IP white
http-request deny if ghost_path !is_whitelisted_full
server cms 192.168.1.250:2369 server cms 192.168.1.250:2369
backend cms2 backend cms2
#mode http #mode http
server ghost_server 192.168.1.55:2368 acl ghost_path path_beg /ghost/
#http-request set-header X-Forwarded-Proto https acl is_whitelisted src 82.67.3.126/32
#http-request set-header Host %[hdr(host)] acl is_lan src 192.168.1.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis)
#http-request set-header X-Real-IP %[src] acl is_lan2 src 192.168.2.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis)
#http-request set-header X-Forwarded-For %[src] acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24 # Combine
acl admin_auth http_auth_group(admin-ghost) is-admin
# Deny /ghost/ hors IP white
http-request deny if ghost_path !is_whitelisted_full
server ghost_server 192.168.1.55:2368
backend mattermost backend mattermost
server mattermost 192.168.1.112:8065 server mattermost 192.168.1.112:8065