ha-remote-vpn-addon/rootfs/srv/haproxy/haproxy.cfg

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats timeout 30s
	user haproxy
	group haproxy
	daemon
	maxconn 100

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        option  log-health-checks
        option  log-separate-errors
        option  logasap
        option  contstats
	option  abortonclose
	#option  forwardfor except 172.16.81.0/24

        timeout connect 3s
        timeout client  60s
        timeout server  60s
	timeout http-request 5s
	timeout check 2s

	retries 3

        option splice-auto
        option tcp-smart-connect

	errorfile 400 /srv/haproxy/error.http
	errorfile 403 /srv/haproxy/error.http
	errorfile 408 /srv/haproxy/error.http
	errorfile 500 /srv/haproxy/error.http
	errorfile 502 /srv/haproxy/error.http
	errorfile 503 /srv/haproxy/error.http
	errorfile 504 /srv/haproxy/error.http

	# Force source IP address to connect to HA
	#source 192.168.8.161

frontend ha_front
	bind 0.0.0.0:80
	#bind 0.0.0.0:443 ssl crt /srv/haproxy/bundle.pem
	mode http
	maxconn 10000

        # Get user ip behind uppon reverse proxy
	capture request header X-Forwarded-For len 15

	# Blacklist
	acl blacklist hdr(x-forwarded-for) -f /srv/haproxy/blacklist
	http-request deny if blacklist
	
	default_backend ha_back

backend ha_back
	mode http
	balance roundrobin
	option httpchk GET / HTTP/1.0

	timeout server 60s

	server ha-host 172.30.32.1:8123 check observe layer4
Initial release 2024-01-01 17:25:46 +01:00			`global`
			`log /dev/log local0`
			`log /dev/log local1 notice`
			`chroot /var/lib/haproxy`
			`stats timeout 30s`
			`user haproxy`
			`group haproxy`
			`daemon`
			`maxconn 100`

			`# Default SSL material locations`
			`ca-base /etc/ssl/certs`
			`crt-base /etc/ssl/private`

			`# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate`
			`ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`
			`ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256`
			`ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets`

			`defaults`
			`log global`
			`mode http`
			`option httplog`
			`option dontlognull`
			`option log-health-checks`
			`option log-separate-errors`
			`option logasap`
			`option contstats`
			`option abortonclose`
			`#option forwardfor except 172.16.81.0/24`

			`timeout connect 3s`
			`timeout client 60s`
			`timeout server 60s`
			`timeout http-request 5s`
			`timeout check 2s`

			`retries 3`

			`option splice-auto`
			`option tcp-smart-connect`

			`errorfile 400 /srv/haproxy/error.http`
			`errorfile 403 /srv/haproxy/error.http`
			`errorfile 408 /srv/haproxy/error.http`
			`errorfile 500 /srv/haproxy/error.http`
			`errorfile 502 /srv/haproxy/error.http`
			`errorfile 503 /srv/haproxy/error.http`
			`errorfile 504 /srv/haproxy/error.http`

			`# Force source IP address to connect to HA`
			`#source 192.168.8.161`

			`frontend ha_front`
			`bind 0.0.0.0:80`
			`#bind 0.0.0.0:443 ssl crt /srv/haproxy/bundle.pem`
			`mode http`
			`maxconn 10000`

			`# Get user ip behind uppon reverse proxy`
			`capture request header X-Forwarded-For len 15`

			`# Blacklist`
			`acl blacklist hdr(x-forwarded-for) -f /srv/haproxy/blacklist`
			`http-request deny if blacklist`

			`default_backend ha_back`

			`backend ha_back`
			`mode http`
			`balance roundrobin`
			`option httpchk GET / HTTP/1.0`

			`timeout server 60s`

			`server ha-host 172.30.32.1:8123 check observe layer4`