second commit
This commit is contained in:
+214
@@ -0,0 +1,214 @@
|
||||
global
|
||||
lua-load /etc/haproxy/cors/lua/lib/cors.lua
|
||||
#log /dev/log local0
|
||||
#log /dev/log local1 notice
|
||||
log 127.0.0.1 local2
|
||||
log-send-hostname
|
||||
chroot /var/lib/haproxy
|
||||
pidfile /var/run/haproxy.pid
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
stats timeout 30s
|
||||
maxconn 30000
|
||||
user haproxy
|
||||
group haproxy
|
||||
daemon
|
||||
|
||||
# Default SSL material locations
|
||||
ca-base /etc/ssl/certs
|
||||
crt-base /etc/ssl/private
|
||||
|
||||
# Default ciphers to use on SSL-enabled listening sockets.
|
||||
# For more information, see ciphers(1SSL). This list is from:
|
||||
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
||||
# An alternative list with additional directives can be obtained from
|
||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
|
||||
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
|
||||
#ssl-default-bind-options no-sslv3
|
||||
tune.ssl.default-dh-param 2048
|
||||
# intermediate configuration
|
||||
ssl-default-bind-curves X25519:prime256v1:secp384r1
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2 no-tls-tickets
|
||||
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||||
|
||||
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
#ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
#ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
#ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option httplog
|
||||
option dontlognull
|
||||
timeout connect 5000
|
||||
timeout client 600s
|
||||
timeout server 600s
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
|
||||
frontend http_in
|
||||
bind *:80
|
||||
maxconn 500
|
||||
|
||||
acl acl_letsencrypt path_beg /.well-known/acme-challenge/
|
||||
|
||||
redirect scheme https if !acl_letsencrypt !{ ssl_fc }
|
||||
use_backend be_letsencrypt if acl_letsencrypt
|
||||
|
||||
frontend https
|
||||
bind *:443,[::]:443 ssl crt /etc/haproxy/ssl/ strict-sni alpn h2,http/1.1
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
||||
http-request set-header X-Forwarded-For %[src]
|
||||
http-request set-header X-Forwarded-For %[src]
|
||||
|
||||
# BEGIN CORS
|
||||
#capture request header origin len 128
|
||||
#chttp-response set-header Access-Control-Allow-Origin "*"
|
||||
#chttp-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
|
||||
#chttp-response set-header Access-Control-Max-Age 3628800
|
||||
#chttp-response set-header Access-Control-Allow-Methods "GET, DELETE, OPTIONS, POST, PUT"
|
||||
# END CORS
|
||||
|
||||
acl cms-host hdr(host) -i mrteddybear.fr
|
||||
acl bunkerweb-host hdr(host) -i bunkerweb.gyozamancave.fr
|
||||
acl rss-host hdr(host) -i rss.gyozamancave.fr
|
||||
acl mattermost-host hdr(host) -i mattermost.gyozamancave.fr
|
||||
acl jellyfin-host hdr(host) -i jellyfin.gyozamancave.fr
|
||||
acl nextcloud-host hdr(host) -i nextcloud.gyozamancave.fr
|
||||
acl funkwhale-host hdr(host) -i funkwhale.gyozamancave.fr
|
||||
acl wiki-host hdr(host) -i wiki.gyozamancave.fr
|
||||
acl hass-host hdr(host) -i hass.gyozamancave.fr
|
||||
acl postiz-host hdr(host) -i postiz.gyozamancave.fr
|
||||
acl n8n-host hdr(host) -i n8n.gyozamancave.fr
|
||||
|
||||
use_backend cms if cms-host
|
||||
use_backend bunkerweb if bunkerweb-host
|
||||
use_backend rss if rss-host
|
||||
use_backend mattermost if mattermost-host
|
||||
use_backend jellyfin if jellyfin-host
|
||||
use_backend nextcloud if nextcloud-host
|
||||
use_backend funkwhale if funkwhale-host
|
||||
use_backend wiki if wiki-host
|
||||
use_backend hass-backend if hass-host
|
||||
use_backend postiz-backend if postiz-host
|
||||
use_backend n8n-backend if n8n-host
|
||||
|
||||
|
||||
backend hass-backend
|
||||
server hass 192.168.1.130:8123
|
||||
mode http
|
||||
#option forwardfor
|
||||
#http-request add-header X-Forwarded-Proto https
|
||||
#http-request add-header X-Forwarded-Port 443
|
||||
|
||||
backend cms
|
||||
#server cms 192.168.1.101:80
|
||||
server cms 192.168.1.250:2369
|
||||
|
||||
backend bunkerweb
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
||||
http-request set-header X-Forwarded-For %[src]
|
||||
option forwardfor
|
||||
server waf 192.168.1.18:32287
|
||||
#server waf 192.168.1.18:30761
|
||||
|
||||
backend mattermost
|
||||
server mattermost 192.168.1.112:8065
|
||||
|
||||
|
||||
backend be_letsencrypt
|
||||
server letsencrypt 127.0.0.1:9080
|
||||
#server letsencrypt 127.0.0.1:10001
|
||||
|
||||
backend jellyfin
|
||||
server jellyfin 192.168.1.103:8096
|
||||
|
||||
|
||||
backend wiki
|
||||
server wiki 192.168.1.18:32149
|
||||
|
||||
backend postiz-backend
|
||||
#mode http
|
||||
#balance source
|
||||
#http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
||||
#option forwardfor except 192.168.1.18/24
|
||||
# # stickiness
|
||||
#stick-table type ip size 50k expire 30m
|
||||
#stick on src
|
||||
#http-reuse safe
|
||||
#cookie SERVERID insert indirect nocache
|
||||
#default-server inter 10s fastinter 500 fall 2 rise 2
|
||||
# # force https
|
||||
#acl http ssl_fc,not
|
||||
#http-request redirect scheme https if http
|
||||
mode http
|
||||
balance source
|
||||
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
||||
# stickiness
|
||||
stick-table type ip size 50k expire 30m
|
||||
stick on src
|
||||
http-reuse safe
|
||||
cookie SERVERID insert indirect nocache
|
||||
default-server inter 10s fastinter 500 fall 2 rise 2
|
||||
# force https
|
||||
acl http ssl_fc,not
|
||||
http-request redirect scheme https if http
|
||||
http-response set-header Strict-Transport-Security max-age=15552000
|
||||
option ssl-hello-chk
|
||||
server postiz 192.168.1.18:32133
|
||||
|
||||
|
||||
backend nextcloud
|
||||
# health checking is DISABLED
|
||||
mode http
|
||||
balance source
|
||||
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
||||
# stickiness
|
||||
stick-table type ip size 50k expire 30m
|
||||
stick on src
|
||||
http-reuse safe
|
||||
cookie SERVERID insert indirect nocache
|
||||
default-server inter 10s fastinter 500 fall 2 rise 2
|
||||
# force https
|
||||
acl http ssl_fc,not
|
||||
http-request redirect scheme https if http
|
||||
http-response set-header Strict-Transport-Security max-age=15552000
|
||||
option ssl-hello-chk
|
||||
server nextcloud 192.168.1.13:5080 #check ssl #verify none
|
||||
|
||||
backend rss
|
||||
mode http
|
||||
enabled
|
||||
server rss 192.168.1.8:8080
|
||||
|
||||
backend n8n-backend
|
||||
server n8n 192.168.1.18:32120
|
||||
|
||||
|
||||
backend funkwhale
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
||||
http-request set-header X-Forwarded-For %[src]
|
||||
option forwardfor
|
||||
#http-request set-header X-Forwarded-Port %[dst_port]
|
||||
#http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
||||
#http-response add-header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline': img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self';"
|
||||
#http-response add-header Referrer-Policy strict-origin-when-cross-origin
|
||||
#http-response add-header X-Frame-Options SAMEORIGIN
|
||||
#server funkwhale 192.168.1.12:5002
|
||||
server funkwhale 192.168.1.108:5002
|
||||
Reference in New Issue
Block a user