2024-10-10 13:22:11 +00:00
|
|
|
global
|
|
|
|
log stdout format raw local0 debug
|
|
|
|
stats socket /shared/admin.sock mode 660 level admin expose-fd listeners
|
|
|
|
stats timeout 30s
|
|
|
|
|
|
|
|
# Default SSL material locations
|
|
|
|
ca-base /etc/ssl/certs
|
|
|
|
crt-base /etc/ssl/private
|
|
|
|
|
|
|
|
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
|
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
|
|
|
|
|
|
defaults
|
|
|
|
log global
|
|
|
|
mode http
|
|
|
|
option httplog
|
|
|
|
timeout connect 5000
|
|
|
|
timeout client 50000
|
|
|
|
timeout server 50000
|
|
|
|
errorfile 400 /usr/local/etc/haproxy/errors/400.http
|
|
|
|
errorfile 403 /usr/local/etc/haproxy/errors/403.http
|
|
|
|
errorfile 408 /usr/local/etc/haproxy/errors/408.http
|
|
|
|
errorfile 500 /usr/local/etc/haproxy/errors/500.http
|
|
|
|
errorfile 502 /usr/local/etc/haproxy/errors/502.http
|
|
|
|
errorfile 503 /usr/local/etc/haproxy/errors/503.http
|
|
|
|
errorfile 504 /usr/local/etc/haproxy/errors/504.http
|
|
|
|
|
|
|
|
frontend customer
|
2024-10-11 10:03:24 +00:00
|
|
|
bind <%= @cache_secrets['customers'][@customer]['ip4'] %>:80
|
2024-10-11 12:00:23 +00:00
|
|
|
bind [<%= @cache_secrets['customers'][@customer]['ip6'] %>]:80
|
2024-10-11 10:03:24 +00:00
|
|
|
bind <%= @cache_secrets['customers'][@customer]['ip4'] %>:443 ssl crt /certs-private/combined.pem
|
2024-10-11 12:00:23 +00:00
|
|
|
bind [<%= @cache_secrets['customers'][@customer]['ip6'] %>]:443 ssl crt /certs-private/combined.pem
|
2024-10-10 13:22:11 +00:00
|
|
|
default_backend varnish
|
|
|
|
|
|
|
|
backend varnish
|
|
|
|
server varnish /shared/varnish.sock send-proxy-v2 proxy-v2-options ssl
|
|
|
|
|
|
|
|
# https://varnish-cache.org/docs/trunk/users-guide/vcl-backends.html#connecting-through-a-proxy
|
|
|
|
listen haproxy_https
|
|
|
|
mode tcp
|
|
|
|
option tcplog
|
|
|
|
maxconn 1000
|
|
|
|
bind /shared/haproxy_https accept-proxy mode 640
|
|
|
|
stick-table type ip size 100
|
|
|
|
stick on dst
|
2024-10-10 13:45:58 +00:00
|
|
|
<% @cache_secrets['customers'][@customer]['origins'].each_with_index do |origin, index| -%>
|
|
|
|
server s<%= index %> <%= origin %>:443 ssl ca-file /etc/ssl/certs/ca-certificates.crt alpn http/1.1 sni fc_pp_authority
|
2024-10-10 13:22:11 +00:00
|
|
|
<% end -%>
|
|
|
|
|
|
|
|
# While varnish could recach out to HTTP backends itself, lets stick to one
|
|
|
|
# place (haproxy) for dealing with loadbalancing etc.
|
|
|
|
listen haproxy_http
|
|
|
|
mode tcp
|
|
|
|
option tcplog
|
|
|
|
maxconn 1000
|
|
|
|
bind /shared/haproxy_http accept-proxy mode 640
|
|
|
|
stick-table type ip size 100
|
|
|
|
stick on dst
|
2024-10-10 13:45:58 +00:00
|
|
|
<% @cache_secrets['customers'][@customer]['origins'].each_with_index do |origin, index| -%>
|
|
|
|
server s<%= index %> <%= origin %>:80
|
2024-10-10 13:22:11 +00:00
|
|
|
<% end -%>
|