86 lines
2.7 KiB
Django/Jinja
86 lines
2.7 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
global
|
|
log /dev/log local0
|
|
log /dev/log local1 notice
|
|
chroot {{ haproxy_chroot }}
|
|
stats socket {{ haproxy_socket }} mode 660 level admin
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
# intermediate configuration https://ssl-config.mozilla.org/
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
|
|
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
|
|
ssl-dh-param-file /etc/haproxy/dhparam2048.txt
|
|
|
|
defaults
|
|
log global
|
|
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
{% if haproxy_stats_enable %}
|
|
listen stats
|
|
mode http
|
|
bind {{ haproxy_stats_bind }}
|
|
|
|
stats enable
|
|
stats refresh 10s
|
|
stats uri /
|
|
stats show-legends
|
|
stats show-node
|
|
stats admin if { src -f /etc/haproxy/stats_admin_ips }
|
|
|
|
http-request deny if !{ src -f /etc/haproxy/stats_access_ips }
|
|
http-request set-log-level silent
|
|
{% endif %}
|
|
|
|
# frontend http-https
|
|
# bind 0.0.0.0:80
|
|
# bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl
|
|
#
|
|
# capture request header Host len 32
|
|
#
|
|
# option forwardfor
|
|
#
|
|
# acl self hdr(host) -i {{ ansible_fqdn }}
|
|
#
|
|
# # Detect Let's Encrypt challenge requests
|
|
# acl letsencrypt path_dir -i /.well-known/acme-challenge
|
|
#
|
|
# # Reject the request at the TCP level if source is in the denylist
|
|
# tcp-request connection reject if { src -f /etc/haproxy/deny_ips }
|
|
#
|
|
# http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
|
# http-request set-header X-Forwarded-Port 443 if { ssl_fc }
|
|
#
|
|
# use_backend local if letsencrypt || self
|
|
#
|
|
# backend local
|
|
# mode http
|
|
# option forwardfor
|
|
#
|
|
# server localhost 127.0.0.1:81 send-proxy-v2
|