diyIT/FreeBSD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
10b9cbeead
FreeBSD/jails/config/proxy/haproxy.conf
Sharad Ahlawat 90c5709862 .
2021-04-01 01:23:14 -07:00

311 lines
13 KiB
Plaintext
Raw Blame History

# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
global
daemon
maxconn 4096
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tlsv10
# no-tlsv11
log 127.0.0.1 local0
defaults
log global
mode http
option http-use-htx
option forwardfor
option redispatch
option http-keep-alive
option http-server-close
option httplog
option dontlognull
retries 3
timeout http-request 10s
timeout http-keep-alive 10s
timeout queue 1m
timeout connect 5s
timeout client 90s
timeout server 90s
timeout check 10s
timeout tunnel 3600s
timeout tarpit 60s
frontend stats
bind :::8404 v4v6
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
stats show-node
stats realm Haproxy\ Statistics
stats auth infra:infra
frontend ft
bind :::80 v4v6
bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem
redirect scheme https if !{ ssl_fc }
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
# passing on that browser is using https
## http-request add-header Forwarded: proto=https
#enabling this breaks things, needs investigation
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
# for Clickjacking - added to individual backends
# http-response add-header X-Frame-Options: SAMEORIGIN
# prevent browser from using non-secure
http-response add-header Strict-Transport-Security: max-age=15768000
acl network_allowed src 192.168.0.0/24 fd01::/64
acl restricted_page path -i -m sub /wp-admin
acl restricted_page path -i -m sub /wp-login
http-request deny if restricted_page !network_allowed
use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com }
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com }
use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com }
use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com }
use_backend bk_ahlawat-cam if { ssl_fc_sni cam.ahlawat.com }
use_backend bk_ahlawat-ci if { ssl_fc_sni ci.ahlawat.com }
use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com }
use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com }
use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com }
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
use_backend bk_ahlawat-hass if { ssl_fc_sni hass.ahlawat.com }
use_backend bk_diyit if { ssl_fc_sni diyit.org }
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
use_backend bk_diyit if { ssl_fc_sni xflow.org }
use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
use_backend bk_beyondbell-dashboard if { ssl_fc_sni dashboard.beyondbell.com }
use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }
default_backend bk_ahlawat
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend bk_ahlawat if is_websocket
backend bk_ahlawat
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-sharad
# balance roundrobin
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
# http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"
backend bk_ahlawat-rachna
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-nivi
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-rishabh
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-443
server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-444
server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-445
server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cam
server srv1 192.168.0.54:8765 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-ci
# http-request set-header Host cix.ahlawat.com:8080
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8080/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*) \1\ https://ci.ahlawat.com/\2
server srv1 cix.ahlawat.com:8080 check
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cloud
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-git
server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-hub
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-matrix
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-meet
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-monitor
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-jump
server srv1 jumpx.ahlawat.com:8080 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-hass
server srv1 hassx.ahlawat.com:8123 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-grafana
server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-prometheus
server srv1 monitorx.ahlawat.com:9090 check
# ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-kibana
server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-maps
server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_dvpc
server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell
server srv1 192.168.0.77:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-ci
# http-request set-header Host cix.beyondbell.com:8111
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
server srv1 192.168.0.73:8111
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-git
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-repo
# http-request set-header Host 192.168.0.75:8081
# http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2
# http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2
server srv1 192.168.0.75:8081
http-response add-header X-Frame-Options: SAMEORIGIN
# http-response del-header Strict-Transport-Security
# http-response add-header Content-Security-Policy: upgrade-insecure-requests
backend bk_beyondbell-dashboard
http-request replace-header Host ^([^\ \t:]*:)\ https://dashboardx.beyondbell.com/(.*) \1\ http://192.168.0.92:8080/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.92:8080/(.*) \1\ https://dashboardx.beyondbell.com/\2
server srv1 192.168.0.92:8080
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-web-moonglade
server srv1 192.168.0.74:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-web-moonglade-private
server srv1 192.168.0.74:4000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-r-windows
server srv1 192.168.0.85:4000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-windows
server srv1 192.168.0.81:26900
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
Reference in New Issue View Git Blame Copy Permalink