39 lines
1.2 KiB
Django/Jinja
39 lines
1.2 KiB
Django/Jinja
{% extends 'common/haproxy_base.j2' %}
|
|
|
|
{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
|
|
|
|
{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
|
|
{%- for ip in bind_ips %}
|
|
bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }} {{ extra }}
|
|
{%- endfor %}
|
|
{%- endmacro %}
|
|
|
|
{% block frontend %}
|
|
frontend {{ site_name }}
|
|
{{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional crt-ignore-err all ca-file /etc/ssl/certs/ca-certificates.crt") }}
|
|
|
|
|
|
timeout http-request 10s
|
|
timeout http-keep-alive 4s
|
|
option forwardfor
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-request set-header client-cert %{+Q}[ssl_c_der,base64]
|
|
|
|
{{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
|
|
|
|
|
|
{{ acme_challenge(letsencrypt_server) }}
|
|
|
|
use_backend {{ site_name }}__default
|
|
{% endblock frontend %}
|
|
|
|
{% block backend %}
|
|
{{ output_backends(backends,
|
|
config=['option httpchk GET /status/healthy HTTP/1.1',
|
|
'http-check expect string STATUS_OK',
|
|
'http-check send-state',
|
|
'http-check disable-on-404',
|
|
],
|
|
)
|
|
}}
|
|
{% endblock backend %}
|