# Copyright (c) 2018-2021, diyIT.org # All rights reserved. # # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # https://diyit.org/license/ # # # https://ssl-config.mozilla.org/#server=haproxy # Need to use Intermediate setting for Twilio and Jetpack global daemon # modern configuration # twilio is one of the sites that cannot handle the modern config # ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 # ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets # ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 # ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets # intermediate configuration ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /mnt/certs/dhparam2048.pem ssl-dh-param-file /mnt/certs/dhparam2048.pem tune.ssl.default-dh-param 2048 #testing #tune.idle-pool.shared off log 127.0.0.1 local0 defaults log global mode http # option http-use-htx #not supported in 2.5 option forwardfor option redispatch option http-keep-alive option http-server-close option httplog option dontlognull retries 3 maxconn 4096 timeout http-request 10s timeout http-keep-alive 10s timeout queue 1m timeout connect 5s timeout client 90s timeout server 90s timeout check 10s timeout tunnel 3600s timeout tarpit 60s unique-id-format %{+X}o\ %[hostname,field(1,.),upper]-%Ts%rt default-server init-addr none resolvers mydns resolvers mydns nameserver ns1 192.168.0.5:53 frontend stats bind :::8404 v4v6 http-request use-service prometheus-exporter if { path /metrics } stats enable stats uri /stats stats refresh 10s stats show-node stats realm Haproxy\ Statistics stats auth infra:infra frontend ft bind :::80 v4v6 # bind :::443 v4v6 strict-sni alpn http/1.1 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem crt /mnt/certs/rwehaproxy.pem crt /mnt/certs/rwrhaproxy.pem crt /mnt/certs/scvcchaproxy.pem bind :::443 v4v6 strict-sni alpn h2,http/1.1 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem crt /mnt/certs/rwehaproxy.pem crt /mnt/certs/rwrhaproxy.pem crt /mnt/certs/scvcchaproxy.pem redirect scheme https code 301 if !{ ssl_fc } log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc # acl is_websocket hdr(Upgrade) -i WebSocket # acl is_websocket hdr_beg(Host) -i ws # use_backend bk_ahlawat-hass if is_websocket acl network_allowed src 192.168.0.0/24 192.168.8.0/24 192.168.50.0/24 192.168.51.0/24 fd01::/64 fd08::/64 fd50::/64 fd51::/64 # acl restricted_page path -i -m sub /wp-admin ## rockwood needs external access acl restricted_page path -i -m sub /wp-login http-request deny if restricted_page !network_allowed http-request set-header X-Client-IP "%[src]" http-request set-header X-Client-Port "%[src_port]" http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Ssl on if { ssl_fc } http-response set-header Strict-Transport-Security max-age=63072000 # for Clickjacking - added to individual backends # http-response set-header X-Frame-Options SAMEORIGIN # https://github.com/haproxy/haproxy/issues/1353 # use req.hdr(host) instead of ssl_fc_sni # use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com } # use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com } use_backend bk_ahlawat if { req.hdr(host) ahlawat.com } use_backend bk_ahlawat if { req.hdr(host) www.ahlawat.com } use_backend bk_ahlawat-sharad if { req.hdr(host) sharad.ahlawat.com } use_backend bk_ahlawat-rachna if { req.hdr(host) rachna.ahlawat.com } use_backend bk_ahlawat-nivi if { req.hdr(host) nivi.ahlawat.com } use_backend bk_ahlawat-nivi if { req.hdr(host) nivedita.ahlawat.com } use_backend bk_ahlawat-rishabh if { req.hdr(host) rishabh.ahlawat.com } use_backend bk_ahlawat-book-443 if { req.hdr(host) books.ahlawat.com } use_backend bk_ahlawat-book-444 if { req.hdr(host) book1.ahlawat.com } use_backend bk_ahlawat-book-445 if { req.hdr(host) book2.ahlawat.com } use_backend bk_ahlawat-cam if { req.hdr(host) cam.ahlawat.com } use_backend bk_ahlawat-ci if { req.hdr(host) ci.ahlawat.com } use_backend bk_ahlawat-cloud if { req.hdr(host) cloud.ahlawat.com } use_backend bk_ahlawat-git if { req.hdr(host) git.ahlawat.com } use_backend bk_ahlawat-hub if { req.hdr(host) hub.ahlawat.com } use_backend bk_ahlawat-matrix if { req.hdr(host) matrix.ahlawat.com } use_backend bk_ahlawat-meet if { req.hdr(host) meet.ahlawat.com } use_backend bk_ahlawat-monitor if { req.hdr(host) monitor.ahlawat.com } use_backend bk_ahlawat-jump if { req.hdr(host) jump.ahlawat.com } use_backend bk_ahlawat-hass if { req.hdr(host) hass.ahlawat.com } use_backend bk_diyit if { req.hdr(host) diyit.org } use_backend bk_diyit if { req.hdr(host) www.diyit.org } use_backend bk_diyit if { req.hdr(host) xflow.org } use_backend bk_diyit if { req.hdr(host) www.xflow.org } use_backend bk_diyit-grafana if { req.hdr(host) grafana.diyit.org } use_backend bk_diyit-prometheus if { req.hdr(host) prometheus.diyit.org } use_backend bk_diyit-kibana if { req.hdr(host) kibana.diyit.org } use_backend bk_diyit-maps if { req.hdr(host) maps.diyit.org } use_backend bk_dvpc if { req.hdr(host) datavpc.com } use_backend bk_dvpc if { req.hdr(host) www.datavpc.com } use_backend bk_dvpc if { req.hdr(host) mydatavpc.com } use_backend bk_dvpc if { req.hdr(host) www.mydatavpc.com } use_backend bk_rwe if { req.hdr(host) rockwoodestates.org } use_backend bk_rwe if { req.hdr(host) www.rockwoodestates.org } use_backend bk_rwr if { req.hdr(host) rockwoodranch.org } use_backend bk_rwr if { req.hdr(host) www.rockwoodranch.org } use_backend bk_scvcc if { req.hdr(host) scvcc-rental.com } use_backend bk_scvcc if { req.hdr(host) www.scvcc-rental.com } use_backend bk_beyondbell if { req.hdr(host) beyondbell.com } use_backend bk_beyondbell if { req.hdr(host) www.beyondbell.com } use_backend bk_beyondbell-ci if { req.hdr(host) ci.beyondbell.com } use_backend bk_beyondbell-git if { req.hdr(host) git.beyondbell.com } use_backend bk_beyondbell-repo if { req.hdr(host) repo.beyondbell.com } use_backend bk_beyondbell-dashboard if { req.hdr(host) dashboard.beyondbell.com } use_backend bk_beyondbell-vault if { req.hdr(host) vault.beyondbell.com } use_backend bk_beyondbell-web-moonglade if { req.hdr(host) moonglade.beyondbell.com } use_backend bk_beyondbell-web-moonglade-private if { req.hdr(host) moonglade-private.beyondbell.com } use_backend bk_beyondbell-r-windows if { req.hdr(host) moonglade-server.beyondbell.com } use_backend bk_beyondbell-windows if { req.hdr(host) gs.beyondbell.com } use_backend bk_beyondbell-mazes if { req.hdr(host) mazes.beyondbell.com } use_backend bk_beyondbell-mazes-backend if { req.hdr(host) mazes-backend.beyondbell.com } # Fallback for non-SNI clients acl is-ahlawat hdr(host) -i ahlawat.com acl is-ahlawat hdr(host) -i www.ahlawat.com use_backend bk_ahlawat if is-ahlawat acl is-diyit hdr(host) -i diyit.org acl is-diyit hdr(host) -i www.diyit.org use_backend bk_diyit if is-diyit default_backend bk_ahlawat backend bk_ahlawat server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-sharad # balance roundrobin server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN # http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com" backend bk_ahlawat-rachna server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-nivi server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-rishabh server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-book-443 server srv1 book.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-book-444 server srv1 book.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-book-445 server srv1 book.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-cam server srv1 192.168.0.54:8765 check server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-ci # http-request set-header Host cix.ahlawat.com:8080 http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8080/\2 http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*) \1\ https://ci.ahlawat.com/\2 server srv1 cix.ahlawat.com:8080 check http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-cloud server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-git # timeout queue 8s server srv1 gitx.ahlawat.com:3000 check ssl maxconn 32 ca-file /mnt/certs/cacert.pem alpn h2 # server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org" # http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-hub server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-matrix server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-meet server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-monitor server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-jump server srv1 jumpx.ahlawat.com:8080 check server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_ahlawat-hass server srv1 hassx.ahlawat.com:8123 check server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_diyit server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_diyit-grafana server srv1 grafanax.diyit.org:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_diyit-prometheus server srv1 prometheusx.diyit.org:9090 check # ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_diyit-kibana server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_diyit-maps server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2 # http-response set-header X-Frame-Options SAMEORIGIN backend bk_dvpc server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_rwe server srv1 web.rockwoodestates.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_rwr server srv1 web.rockwoodranch.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_scvcc server srv1 web.scvcc-rental.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell # server srv1 192.168.0.77:8080 server srv1 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-ci # http-request set-header Host cix.beyondbell.com:8111 http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2 http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2 server srv1 192.168.0.73:8111 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-git server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-repo # http-request set-header Host 192.168.0.75:8081 # http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2 # http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2 server srv1 192.168.0.75:8081 http-response set-header X-Frame-Options SAMEORIGIN # http-response del-header Strict-Transport-Security # http-response add-header Content-Security-Policy: upgrade-insecure-requests backend bk_beyondbell-dashboard http-request replace-header Host ^([^\ \t:]*:)\ https://dashboardx.beyondbell.com/(.*) \1\ http://192.168.0.92:8080/\2 http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.92:8080/(.*) \1\ https://dashboardx.beyondbell.com/\2 server srv1 192.168.0.92:8080 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-vault http-request replace-header Host ^([^\ \t:]*:)\ https://vault.beyondbell.com/(.*) \1\ http://192.168.0.93:8200/\2 http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.93:8200/(.*) \1\ https://vault.beyondbell.com/\2 server srv1 192.168.0.93:8200 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-web-moonglade server srv1 192.168.0.74:8000 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-web-moonglade-private server srv1 192.168.0.74:4000 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-r-windows server srv1 192.168.0.85:4000 server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-windows server srv1 192.168.0.81:26900 server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-mazes server srv1 192.168.0.171:8080 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN backend bk_beyondbell-mazes-backend server srv1 192.168.0.172:8080 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options SAMEORIGIN