jerry
/
src.dualinventive.com
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
src.dualinventive.com/devops/ansible/roles/frontend-proxy/templates/haproxy.cfg.j2

63 lines
2.5 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
global
user haproxy
group haproxy
tune.ssl.default-dh-param 2048
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
defaults
timeout client 600000 # maximum inactivity time on the client side
timeout server 600000 # maximum inactivity time on the server side
timeout connect 8000 # maximum time to wait for a connection attempt to a server to succeed
retries 5
option redispatch
frontend unsecured
mode http
bind :80
{% for redir in web_forwards %}
acl di_{{ redir.redirect_name }} hdr(host) -i {{ redir.hostname }}
redirect prefix https://{{ redir.hostname }} if di_{{ redir.redirect_name }}
{% endfor %}
frontend web_ssl
bind :443 ssl crt {{ di_certificates_wildcard_dualinventive_bundle }} crt {{ di_certificates_wildcard_mtinfo3000_bundle }} no-sslv3 ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
{% for redir in web_forwards %}
acl sni_{{ redir.redirect_name }} ssl_fc_sni -i {{ redir.hostname }}
{% if redir.restrict|default([])|length > 0 %}
acl allowed_{{ redir.redirect_name }} src {{ redir.restrict | join(" ") }}
use_backend backend_{{ redir.redirect_name }} if sni_{{ redir.redirect_name }} allowed_{{ redir.redirect_name }}
tcp-request content reject if sni_{{ redir.redirect_name }} !allowed_{{ redir.redirect_name }}
{% else %}
use_backend backend_{{ redir.redirect_name }} if sni_{{ redir.redirect_name }}
{% endif %}
{% endfor %}
{% for redir in web_forwards %}
backend backend_{{ redir.redirect_name }}
mode http
option http-server-close
option forwardfor
server {{ redir.redirect }} {{ redir.redirect }}:{{ redir.redirect_port }} check
stats enable
stats auth monitor:DualInventive
stats uri /haproxymonitor
stats refresh 5s
errorfile 503 /etc/haproxy/errors/503.http
{% endfor %}
Reference in New Issue View Git Blame Copy Permalink