From 0233bffd5064c412c77e871155bbb1ab87abdc4b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 3 Nov 2020 13:37:01 +0100
Subject: [PATCH] ajout de haproxy

---
 haproxy.cfg | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 haproxy.cfg

diff --git a/haproxy.cfg b/haproxy.cfg
new file mode 100644
index 0000000..933f2e0
--- /dev/null
+++ b/haproxy.cfg
@@ -0,0 +1,86 @@
+global
+    log /dev/log    local5
+    log /dev/log    local5 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin
+    stats timeout 30s
+    user  haproxy
+    group haproxy
+    daemon
+    maxconn 10000
+
+    # intermediate configuration https://ssl-config.mozilla.org/
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+    ssl-dh-param-file /etc/ssl/dhparam-haproxy
+
+defaults
+    log     global
+    mode    http
+    option  httplog
+    option  dontlognull
+    timeout connect 1m
+    timeout client  200s
+    timeout server  200s
+
+    maxconn 9800
+
+    option  abortonclose
+
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+listen stats
+    bind *:8088 ssl crt /etc/ssl/haproxy
+
+    stats enable
+    stats uri /
+    stats show-legends
+    stats show-node
+
+    acl stats_access_ips src -f /etc/haproxy/stats_access_ips
+    http-request deny if !stats_access_ips
+
+    acl stats_admin_ips src -f /etc/haproxy/stats_admin_ips
+    stats admin if stats_admin_ips
+
+frontend https
+    bind *:80
+    bind *:443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+
+    option  forwardfor
+    # capture du domaine demandé pour les logs
+    capture request header Host len 32
+
+    reqadd X-Forwarded-Proto:\ https
+
+    # acl letsencrypt path_dir -i /.well-known/acme-challenge
+    # use_backend letsencrypt if letsencrypt
+
+    # Mode maintenance (### -> à décommenter)
+    acl maintenance_ips src -f /etc/haproxy/maintenance_ips
+    ### use_backend maintenance unless maintenance_ips
+
+    default_backend web
+
+backend web
+    balance roundrobin
+    #option httpchk HEAD /health-check
+    server local81 127.0.0.1:81 check observe layer7
+    server local82 127.0.0.1:82 check observe layer7
+
+backend letsencrypt
+    server adm 192.168.3.2
+
+backend maintenance
+    http-request set-log-level silent
+    errorfile 503 /etc/haproxy/errors/503.http