# Copyright (c) 2018-2021, diyIT.org # All rights reserved. # # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # https://diyit.org/license/ # # global daemon maxconn 4096 tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 no-tlsv10 # no-tlsv11 log 127.0.0.1 local0 defaults log global mode http option http-use-htx option forwardfor option redispatch option http-keep-alive option http-server-close option httplog option dontlognull retries 3 timeout http-request 10s timeout http-keep-alive 10s timeout queue 1m timeout connect 5s timeout client 90s timeout server 90s timeout check 10s timeout tunnel 3600s timeout tarpit 60s frontend stats bind :::8404 v4v6 http-request use-service prometheus-exporter if { path /metrics } stats enable stats uri /stats stats refresh 10s stats show-node stats realm Haproxy\ Statistics stats auth infra:infra frontend ft bind :::80 v4v6 bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem redirect scheme https if !{ ssl_fc } log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc # passing on that browser is using https ## http-request add-header Forwarded: proto=https #enabling this breaks things, needs investigation http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Ssl on if { ssl_fc } # for Clickjacking - added to individual backends # http-response add-header X-Frame-Options: SAMEORIGIN # prevent browser from using non-secure http-response add-header Strict-Transport-Security: max-age=15768000 acl network_allowed src 192.168.0.0/24 fd01::/64 acl restricted_page path -i -m sub /wp-admin acl restricted_page path -i -m sub /wp-login http-request deny if restricted_page !network_allowed use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com } use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com } use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com } use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com } use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com } use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com } use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com } use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com } use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com } use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com } use_backend bk_ahlawat-cam if { ssl_fc_sni cam.ahlawat.com } use_backend bk_ahlawat-ci if { ssl_fc_sni ci.ahlawat.com } use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com } use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com } use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com } use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com } use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com } use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com } use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com } use_backend bk_ahlawat-hass if { ssl_fc_sni hass.ahlawat.com } use_backend bk_diyit if { ssl_fc_sni diyit.org } use_backend bk_diyit if { ssl_fc_sni www.diyit.org } use_backend bk_diyit if { ssl_fc_sni xflow.org } use_backend bk_diyit if { ssl_fc_sni www.xflow.org } use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org } use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org } use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org } use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org } use_backend bk_dvpc if { ssl_fc_sni datavpc.com } use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com } use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com } use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com } use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com } use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com } use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com } use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com } use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com } use_backend bk_beyondbell-dashboard if { ssl_fc_sni dashboard.beyondbell.com } use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com } use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com } use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com } use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com } default_backend bk_ahlawat acl is_websocket hdr(Upgrade) -i WebSocket acl is_websocket hdr_beg(Host) -i ws use_backend bk_ahlawat if is_websocket backend bk_ahlawat server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-sharad # balance roundrobin server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN # http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com" backend bk_ahlawat-rachna server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-nivi server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-rishabh server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-book-443 server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-book-444 server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-book-445 server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-cam server srv1 192.168.0.54:8765 check server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-ci # http-request set-header Host cix.ahlawat.com:8080 http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8080/\2 http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*) \1\ https://ci.ahlawat.com/\2 server srv1 cix.ahlawat.com:8080 check http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-cloud server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-git server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org" # http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-hub server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-matrix server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-meet server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-monitor server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-jump server srv1 jumpx.ahlawat.com:8080 check server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-hass server srv1 hassx.ahlawat.com:8123 check server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_diyit server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_diyit-grafana server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # http-response add-header X-Frame-Options: SAMEORIGIN backend bk_diyit-prometheus server srv1 monitorx.ahlawat.com:9090 check # ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_diyit-kibana server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # http-response add-header X-Frame-Options: SAMEORIGIN backend bk_diyit-maps server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2 # http-response add-header X-Frame-Options: SAMEORIGIN backend bk_dvpc server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell server srv1 192.168.0.77:8000 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell-ci # http-request set-header Host cix.beyondbell.com:8111 http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2 http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2 server srv1 192.168.0.73:8111 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell-git server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell-repo # http-request set-header Host 192.168.0.75:8081 # http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2 # http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2 server srv1 192.168.0.75:8081 http-response add-header X-Frame-Options: SAMEORIGIN # http-response del-header Strict-Transport-Security # http-response add-header Content-Security-Policy: upgrade-insecure-requests backend bk_beyondbell-dashboard http-request replace-header Host ^([^\ \t:]*:)\ https://dashboardx.beyondbell.com/(.*) \1\ http://192.168.0.92:8080/\2 http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.92:8080/(.*) \1\ https://dashboardx.beyondbell.com/\2 server srv1 192.168.0.92:8080 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell-web-moonglade server srv1 192.168.0.74:8000 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell-web-moonglade-private server srv1 192.168.0.74:4000 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell-r-windows server srv1 192.168.0.85:4000 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell-windows server srv1 192.168.0.81:26900 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN