global log stdout format raw local0 debug stats socket /shared/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /usr/local/etc/haproxy/errors/400.http errorfile 403 /usr/local/etc/haproxy/errors/403.http errorfile 408 /usr/local/etc/haproxy/errors/408.http errorfile 500 /usr/local/etc/haproxy/errors/500.http errorfile 502 /usr/local/etc/haproxy/errors/502.http errorfile 503 /usr/local/etc/haproxy/errors/503.http errorfile 504 /usr/local/etc/haproxy/errors/504.http frontend customer bind <%= @cache_secrets['customers'][@customer]['ip4'] %>:80 bind [<%= @cache_secrets['customers'][@customer]['ip6'] %>]:80 bind <%= @cache_secrets['customers'][@customer]['ip4'] %>:443 ssl crt /certs-private/combined.pem bind [<%= @cache_secrets['customers'][@customer]['ip6'] %>]:443 ssl crt /certs-private/combined.pem default_backend varnish backend varnish server varnish /shared/varnish.sock send-proxy-v2 proxy-v2-options ssl # https://varnish-cache.org/docs/trunk/users-guide/vcl-backends.html#connecting-through-a-proxy listen haproxy_https mode tcp option tcplog maxconn 1000 bind /shared/haproxy_https accept-proxy mode 640 stick-table type ip size 100 stick on dst <% @cache_secrets['customers'][@customer]['origins'].each_with_index do |origin, index| -%> server s<%= index %> <%= origin %>:443 ssl ca-file /etc/ssl/certs/ca-certificates.crt alpn http/1.1 sni fc_pp_authority <% end -%> # While varnish could recach out to HTTP backends itself, lets stick to one # place (haproxy) for dealing with loadbalancing etc. listen haproxy_http mode tcp option tcplog maxconn 1000 bind /shared/haproxy_http accept-proxy mode 640 stick-table type ip size 100 stick on dst <% @cache_secrets['customers'][@customer]['origins'].each_with_index do |origin, index| -%> server s<%= index %> <%= origin %>:80 <% end -%>