117 lines
3.3 KiB
Plaintext
117 lines
3.3 KiB
Plaintext
|
# haproxy for SUNET frontend load balancer nodes.
|
||
|
#
|
||
|
{% from "common/haproxy_macros.j2" import output_backends %}
|
||
|
|
||
|
{% block global %}
|
||
|
global
|
||
|
log stdout format raw local0 debug
|
||
|
|
||
|
daemon
|
||
|
maxconn 256
|
||
|
stats socket /haproxy_control/stats mode 660
|
||
|
#server-state-file /tmp/server_state
|
||
|
|
||
|
# whole container is started as non-root
|
||
|
#user haproxy
|
||
|
#group haproxy
|
||
|
|
||
|
# Default SSL material locations
|
||
|
ca-base /etc/ssl/certs
|
||
|
crt-base /etc/ssl/private
|
||
|
|
||
|
# Mozilla Guideline v5.7 intermediate configuration
|
||
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||
|
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||
|
|
||
|
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||
|
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||
|
# end Mozilla config
|
||
|
|
||
|
tune.ssl.default-dh-param 2048
|
||
|
|
||
|
spread-checks 20
|
||
|
|
||
|
|
||
|
|
||
|
{% endblock global %}
|
||
|
|
||
|
|
||
|
{% block defaults %}
|
||
|
defaults
|
||
|
log global
|
||
|
mode http
|
||
|
option httplog
|
||
|
option dontlognull
|
||
|
option redispatch
|
||
|
option forwardfor
|
||
|
# funny looking values because recommendation is to have these slightly
|
||
|
# above mulitples of three seconds to play nice with TCP resend timers
|
||
|
timeout check 5s
|
||
|
timeout connect 4s
|
||
|
timeout client 17s
|
||
|
timeout server 17s
|
||
|
timeout http-request 5s
|
||
|
|
||
|
# never fail on address resolution
|
||
|
default-server init-addr libc,none
|
||
|
balance roundrobin
|
||
|
{% endblock defaults %}
|
||
|
|
||
|
{% block stats %}
|
||
|
frontend LB-http
|
||
|
# expose stats info over HTTP to exabgp
|
||
|
bind 127.0.0.1:9000
|
||
|
http-request set-log-level silent
|
||
|
default_backend LB
|
||
|
|
||
|
backend LB
|
||
|
stats enable
|
||
|
#stats hide-version
|
||
|
stats uri /haproxy_stats
|
||
|
{% endblock stats %}
|
||
|
|
||
|
|
||
|
{% block global_backends %}
|
||
|
{% if letsencrypt_server is defined %}
|
||
|
backend letsencrypt_{{ letsencrypt_server }}
|
||
|
server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
|
||
|
{% else %}
|
||
|
# letsencrypt_backend not defined
|
||
|
{% endif %}
|
||
|
{% endblock global_backends %}
|
||
|
|
||
|
|
||
|
{% block https_everything %}
|
||
|
#
|
||
|
# Redirect _everything_ to HTTPS
|
||
|
frontend http-frontend
|
||
|
bind 0.0.0.0:80
|
||
|
bind :::80
|
||
|
|
||
|
redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ }
|
||
|
{% if letsencrypt_server is defined %}
|
||
|
use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
|
||
|
{% else %}
|
||
|
# letsencrypt_backend not defined
|
||
|
{% endif %}
|
||
|
{% endblock https_everything %}
|
||
|
|
||
|
#
|
||
|
# Frontend section
|
||
|
#
|
||
|
{% block frontend %}
|
||
|
{% endblock frontend %}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Backend section
|
||
|
#
|
||
|
{% block pre_backend %}
|
||
|
{% endblock pre_backend %}
|
||
|
|
||
|
{% block backend %}
|
||
|
{{ output_backends(backends, config=[]) }}
|
||
|
{% endblock backend %}
|