76 lines
2 KiB
INI
76 lines
2 KiB
INI
|
global
|
||
|
log /dev/log local0
|
||
|
log /dev/log local1 notice
|
||
|
chroot /var/lib/haproxy
|
||
|
stats timeout 30s
|
||
|
user haproxy
|
||
|
group haproxy
|
||
|
daemon
|
||
|
|
||
|
# Default SSL material locations
|
||
|
ca-base /etc/ssl/certs
|
||
|
crt-base /etc/ssl/private
|
||
|
|
||
|
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
||
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||
|
|
||
|
defaults
|
||
|
log global
|
||
|
mode http
|
||
|
option httplog
|
||
|
option dontlognull
|
||
|
option log-health-checks
|
||
|
option log-separate-errors
|
||
|
option logasap
|
||
|
option contstats
|
||
|
option abortonclose
|
||
|
#option forwardfor except 172.16.81.0/24
|
||
|
|
||
|
timeout connect 3s
|
||
|
timeout client 60s
|
||
|
timeout server 60s
|
||
|
timeout http-request 5s
|
||
|
timeout check 2s
|
||
|
|
||
|
retries 3
|
||
|
|
||
|
option splice-auto
|
||
|
option tcp-smart-connect
|
||
|
|
||
|
errorfile 400 /srv/haproxy/error.http
|
||
|
errorfile 403 /srv/haproxy/error.http
|
||
|
errorfile 408 /srv/haproxy/error.http
|
||
|
errorfile 500 /srv/haproxy/error.http
|
||
|
errorfile 502 /srv/haproxy/error.http
|
||
|
errorfile 503 /srv/haproxy/error.http
|
||
|
errorfile 504 /srv/haproxy/error.http
|
||
|
|
||
|
# Force source IP address to connect to HA
|
||
|
#source 192.168.8.161
|
||
|
|
||
|
frontend ha_front
|
||
|
bind 0.0.0.0:80
|
||
|
#bind 0.0.0.0:443 ssl crt /srv/haproxy/bundle.pem
|
||
|
mode http
|
||
|
maxconn 10000
|
||
|
|
||
|
# Get user ip behind uppon reverse proxy
|
||
|
capture request header X-Forwarded-For len 15
|
||
|
|
||
|
# Blacklist
|
||
|
acl blacklist hdr(x-forwarded-for) -f /srv/haproxy/blacklist
|
||
|
http-request deny if blacklist
|
||
|
|
||
|
default_backend ha_back
|
||
|
|
||
|
backend ha_back
|
||
|
mode http
|
||
|
balance roundrobin
|
||
|
option httpchk GET / HTTP/1.0
|
||
|
|
||
|
timeout server 60s
|
||
|
|
||
|
server ha-host 192.168.8.2:8123 check observe layer4
|