From 73e850bd2f0825b3a88934c0b6803ecd2354c41c Mon Sep 17 00:00:00 2001 From: billisdead Date: Fri, 16 Jan 2026 07:43:07 +0100 Subject: [PATCH] changement de config : -umami +swetrix --- haproxy.cfg | 71 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 42 insertions(+), 29 deletions(-) diff --git a/haproxy.cfg b/haproxy.cfg index 21d4c88..46bd5e8 100644 --- a/haproxy.cfg +++ b/haproxy.cfg @@ -86,14 +86,15 @@ frontend https bind *:443,[::]:443 ssl crt /etc/haproxy/ssl/ strict-sni alpn http/1.1 #bind *:443,[::]:443 ssl crt /etc/haproxy/ssl/ strict-sni alpn h2,http/1.1 # headers - http-request set-header Host %[req.hdr(Host)] - http-request set-header X-Real-IP %[src] + #http-request set-header Host homegit.gyozamancave.fr + #http-request set-header Host %[req.hdr(Host)] + #http-request set-header X-Real-IP %[src] http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-For %[src] http-request track-sc0 src table per_ip_rates http-request silent-drop if { sc_http_req_rate(0) gt 100 } - + # config httpcats errorfiles kitties http-response return status 400 default-errorfiles if { status 400 } @@ -106,10 +107,17 @@ frontend https http-response return status 503 default-errorfiles if { status 503 } http-response return status 504 default-errorfiles if { status 504 } + # Redirection 301 pour links.billisdead.com + acl is_billisdead hdr(host) -i links.billisdead.com + http-request redirect code 301 location https://links.mrteddybear.fr/@billisdead.com if is_billisdead + + + ## config antiDDOS - # Suivi du taux de requêtes par IP + acl homegit-host hdr(host) -i homegit.gyozamancave.fr + # Suivi du taux de requêtes par IP stick-table type ip size 1m expire 10m store http_req_rate(10s) - http-request track-sc0 src + http-request track-sc0 src unless homegit-host # ACL pour whitelister ton domaine n8n acl n8n_domain hdr_end(host) -i gyozamancave.fr @@ -124,26 +132,19 @@ frontend https http-request allow if my_ip http-request allow if my_lan1 http-request allow if my_lan2 - - #bloquer le reste -# http-request deny deny_status 403 - + # Appliquer la rate-limit globale pour le reste http-request deny deny_status 429 if { sc0_http_req_rate gt 100 } # BEGIN CORS #capture request header origin len 128 - #chttp-response set-header Access-Control-Allow-Origin "*" - #chttp-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId" - #chttp-response set-header Access-Control-Max-Age 3628800 - #chttp-response set-header Access-Control-Allow-Methods "GET, DELETE, OPTIONS, POST, PUT" + #http-response set-header Access-Control-Allow-Origin "*" + #http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId" + #http-response set-header Access-Control-Max-Age 3628800 + #http-response set-header Access-Control-Allow-Methods "GET, DELETE, OPTIONS, POST, PUT" # END CORS - # Redirection 301 pour links.billisdead.com - acl is_billisdead hdr(host) -i links.billisdead.com - http-request redirect code 301 location https://links.mrteddybear.fr/@billisdead.com if is_billisdead - acl cms-host hdr(host) -i mrteddybear.fr acl links-host hdr(host) -i links.mrteddybear.fr acl cms2-host hdr(host) -i billisdead.com @@ -154,12 +155,15 @@ frontend https acl hass-host hdr(host) -i hass.gyozamancave.fr acl postiz-host hdr(host) -i postiz.gyozamancave.fr acl stats-host hdr(host) -i stats.gyozamancave.fr + acl stats-api hdr(host) -i api.stats.gyozamancave.fr acl n8n-host hdr(host) -i n8n.gyozamancave.fr - acl homegit-host hdr(host) -i homegit.gyozamancave.fr + #acl homegit-host hdr(host) -i homegit.gyozamancave.fr #acl boudoir-assets path_beg /assets/ #acl path_og path_beg /og/ acl boudoir-host hdr(host) -i ledigitalboudoir.com + #acl is_api path -m beg -i /api + use_backend cms if cms-host use_backend links-mtb if links-host use_backend cms2 if cms2-host @@ -169,6 +173,7 @@ frontend https use_backend wiki if wiki-host use_backend hass-backend if hass-host use_backend postiz-backend if postiz-host + use_backend stats-backend-api if stats-api use_backend stats-backend if stats-host use_backend n8n-backend if n8n-host use_backend homegit-backend if homegit-host @@ -205,26 +210,34 @@ frontend https #backend boudoir-backend # server boudoir 192.168.1.57:2368 backend boudoir-backend - acl ghost_path path_beg /ghost/ - acl is_whitelisted src 82.67.3.126/32 - acl is_lan src 192.168.1.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis) - acl is_lan2 src 192.168.2.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis) - acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24 # Combine - acl admin_auth http_auth_group(admin-ghost) is-admin + acl ghost_path path_beg /ghost/ + acl is_whitelisted src 82.67.3.126/32 + acl is_lan src 192.168.1.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis) + acl is_lan2 src 192.168.2.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis) + acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24 # Combine + acl admin_auth http_auth_group(admin-ghost) is-admin - # Deny /ghost/ hors IP white - http-request deny if ghost_path !is_whitelisted_full - server boudoir 192.168.1.57:2368 check + # Deny /ghost/ hors IP white + http-request deny if ghost_path !is_whitelisted_full + server boudoir 192.168.1.57:2368 check #backend boudoir-backend # server boudoir 192.168.1.107:31723 check backend homegit-backend - server homegit 192.168.1.70:3000 check + mode http + # S'assurer que le header n'est pas supprimé + http-response add-header WWW-Authenticate Basic\ realm="Gitea" + server homegit 192.168.1.70:3000 check + +backend stats-backend-api + server api_stats 192.168.1.58:8080 backend stats-backend - server stats 192.168.1.49:3000 + #option forwardfor + server stats 192.168.1.58:8081 + backend n8n-backend mode http