ha-remote-vpn/srv/haproxy/haproxy.cfg

76 lines
2 KiB
INI
Raw Normal View History

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
option log-health-checks
option log-separate-errors
option logasap
option contstats
option abortonclose
#option forwardfor except 172.16.81.0/24
timeout connect 3s
timeout client 60s
timeout server 60s
timeout http-request 5s
timeout check 2s
retries 3
option splice-auto
option tcp-smart-connect
errorfile 400 /srv/haproxy/error.http
errorfile 403 /srv/haproxy/error.http
errorfile 408 /srv/haproxy/error.http
errorfile 500 /srv/haproxy/error.http
errorfile 502 /srv/haproxy/error.http
errorfile 503 /srv/haproxy/error.http
errorfile 504 /srv/haproxy/error.http
# Force source IP address to connect to HA
#source 192.168.8.161
frontend ha_front
bind 0.0.0.0:80
#bind 0.0.0.0:443 ssl crt /srv/haproxy/bundle.pem
mode http
maxconn 10000
# Get user ip behind uppon reverse proxy
capture request header X-Forwarded-For len 15
# Blacklist
acl blacklist hdr(x-forwarded-for) -f /srv/haproxy/blacklist
http-request deny if blacklist
default_backend ha_back
backend ha_back
mode http
balance roundrobin
option httpchk GET / HTTP/1.0
timeout server 60s
server ha-host 192.168.8.2:8123 check observe layer4