# Copyright (c) 2018-2020, diyIT.org # All rights reserved. # # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # https://diyit.org/license/ # # global daemon maxconn 4096 tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 no-tlsv10 # no-tlsv11 log 127.0.0.1 local0 defaults log global mode http option http-use-htx option forwardfor option redispatch option http-keep-alive option http-server-close option httplog option dontlognull retries 3 timeout http-request 10s timeout http-keep-alive 10s timeout queue 1m timeout connect 5s timeout client 90s timeout server 90s timeout check 10s timeout tunnel 3600s timeout tarpit 60s #listen stats # bind :::1936 v4v6 # stats uri / # stats enable # stats refresh 10s # stats show-node # stats realm Haproxy\ Statistics # stats auth infra:infra frontend stats bind :::8404 v4v6 http-request use-service prometheus-exporter if { path /metrics } stats enable stats uri /stats stats refresh 10s stats show-node stats realm Haproxy\ Statistics stats auth infra:infra frontend ft bind :::80 v4v6 bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem redirect scheme https if !{ ssl_fc } log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc # passing on that browser is using https reqadd X-Forwarded-Proto:\ https # for Clickjacking - added to individual backends # rspadd X-Frame-Options:\ SAMEORIGIN # prevent browser from using non-secure rspadd Strict-Transport-Security:\ max-age=15768000 acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64 acl restricted_page path -i -m sub /wp-admin acl restricted_page path -i -m sub /wp-login block if restricted_page !network_allowed use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com } use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com } use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com } use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com } use_backend bk_diyit if { ssl_fc_sni diyit.org } use_backend bk_diyit if { ssl_fc_sni www.diyit.org } use_backend bk_diyit if { ssl_fc_sni xflow.org } use_backend bk_diyit if { ssl_fc_sni www.xflow.org } use_backend bk_diyit if { ssl_fc_sni diyit.space } use_backend bk_diyit if { ssl_fc_sni www.diyit.space } use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com } use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com } use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com } use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com } # use_backend bk_ahlawat-book if { ssl_fc_sni book.ahlawat.com } use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com } use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com } use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com } use_backend bk_ahlawat-cam if { ssl_fc_sni cam.ahlawat.com } use_backend bk_ahlawat-ci if { ssl_fc_sni ci.ahlawat.com } use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com } use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com } use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com } use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com } use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org } use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org } use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org } use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org } use_backend bk_beyondbell-api if { ssl_fc_sni api.beyondbell.com } use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com } use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com } use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com } use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com } default_backend bk_ahlawat backend bk_ahlawat server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_beyondbell server srv1 192.168.0.74:8000 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_diyit server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-sharad server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-nivi server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-rishabh server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN #backend bk_ahlawat-book # server srv1 bookx.ahlawat.com:443 check ssl verify none backend bk_ahlawat-book-443 # server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-book-444 # server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-book-445 # server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-cam server srv1 192.168.0.54:8765 check rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-cloud server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-git server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspidel X-Frame-Options:* # http-request set-var(txn.src) src # acl mynet var(txn.src) -m sub 192.168.0 # acl mynet var(txn.src) -m sub 2603:3024:3f6:e1 # rspidel X-Frame-Options:* if mynet # rspadd X-Frame-Options:\ SAMEORIGIN unless mynet # The gitea server add this header be default backend bk_ahlawat-hub server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-monitor server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # rspadd X-Frame-Options:\ SAMEORIGIN backend bk_diyit-grafana server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # rspadd X-Frame-Options:\ SAMEORIGIN backend bk_diyit-prometheus server srv1 monitorx.ahlawat.com:9090 check # ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_diyit-kibana server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # rspadd X-Frame-Options:\ SAMEORIGIN backend bk_diyit-maps server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # rspadd X-Frame-Options:\ SAMEORIGIN backend bk_ahlawat-ci # http-request set-header Host cix.ahlawat.com:8180 reqirep ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2 rspirep ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2 server srv1 cix.ahlawat.com:8180 check rspadd X-Frame-Options:\ SAMEORIGIN backend bk_beyondbell-api server srv1 192.168.0.77:8000 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_beyondbell-git server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 rspadd X-Frame-Options:\ SAMEORIGIN backend bk_beyondbell-ci http-request set-header Host cix.beyondbell.com:8111 reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2 rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2 server srv1 cix.beyondbell.com:8111 check rspadd X-Frame-Options:\ SAMEORIGIN backend bk_beyondbell-repo # http-request set-header Host 192.168.0.75:8080 reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2 rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2 server srv1 192.168.0.75:8080 check rspadd X-Frame-Options:\ SAMEORIGIN backend bk_beyondbell-gs server srv1 192.168.0.81:26900 check rspadd X-Frame-Options:\ SAMEORIGIN