# The home-server project produces a multi-purpose setup using Ansible. # Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license. # Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing. global tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers {{tls_ciphers}} ssl-default-bind-options {{tls_options}} ssl-default-server-ciphers {{tls_ciphers}} ssl-default-server-options {{tls_options}} log /dev/log local0 info pidfile /run/haproxy.pid daemon defaults mode tcp timeout connect 5s timeout client 5m timeout server 5m timeout tunnel 1h timeout client-fin 5s timeout server-fin 5s log global option logasap option log-separate-errors log-format "%ci:%cp [%t] %ft %b[%bi:%bp]/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq" frontend imaps bind :993 ssl crt /etc/haproxy/tls.pem default_backend imap backend imap server dovecot {{SafeZone_IP}}:220 send-proxy-v2 frontend text bind :80 default_backend http frontend tls bind :443 ssl crt /etc/haproxy/tls.pem tcp-request inspect-delay 2s # check SNI for the SSH domain acl SNI ssl_fc_sni -i {{net_subdom_ssh}}.{{net_soa}} # client-first SSH: wait for SSH-2.0 acl cSSH req.payload(0,7) -m bin 5353482d322e30 # server-first SSH: https://314es.pl/https-openvpn-and-ssh-on-one-port-thanks-to-haproxy acl sSSH req.len eq 0 tcp-request content accept if HTTP tcp-request content accept if cSSH use_backend ssh if SNI cSSH use_backend ssh if SNI sSSH use_backend ssh if SNI !HTTP default_backend https frontend tls_plus bind :444 ssl crt /etc/haproxy/tls.pem default_backend https_plus backend ssh server ssh 127.0.0.1:22 timeout server 2h backend http server nginx unix@/run/shared_sockets/http.pp send-proxy backend https server nginx unix@/run/shared_sockets/https.pp send-proxy backend https_plus server nginx unix@/run/shared_sockets/https+.pp send-proxy