78 lines
2.4 KiB
Django/Jinja
78 lines
2.4 KiB
Django/Jinja
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
global
|
||
tune.ssl.default-dh-param 2048
|
||
ssl-default-bind-ciphers {{tls_ciphers}}
|
||
ssl-default-bind-options {{tls_options}}
|
||
ssl-default-server-ciphers {{tls_ciphers}}
|
||
ssl-default-server-options {{tls_options}}
|
||
log /dev/log local0 info
|
||
pidfile /run/haproxy.pid
|
||
daemon
|
||
|
||
defaults
|
||
mode tcp
|
||
timeout connect 5s
|
||
timeout client 5m
|
||
timeout server 5m
|
||
timeout tunnel 1h
|
||
timeout client-fin 5s
|
||
timeout server-fin 5s
|
||
log global
|
||
option logasap
|
||
option log-separate-errors
|
||
log-format "%ci:%cp [%t] %ft %b[%bi:%bp]/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
|
||
|
||
frontend imaps
|
||
bind :993 ssl crt /etc/haproxy/tls.pem
|
||
bind :::993 ssl crt /etc/haproxy/tls.pem
|
||
default_backend imap
|
||
|
||
backend imap
|
||
server dovecot {{SafeZone_IP}}:220 send-proxy-v2
|
||
|
||
frontend text
|
||
bind :80
|
||
bind :::80
|
||
default_backend http
|
||
|
||
frontend tls
|
||
bind :443 ssl crt /etc/haproxy/tls.pem
|
||
bind :::443 ssl crt /etc/haproxy/tls.pem
|
||
|
||
tcp-request inspect-delay 2s
|
||
# check SNI for the SSH domain
|
||
acl SNI ssl_fc_sni -i {{net_subdom_ssh}}.{{net_soa}}
|
||
# client-first SSH: wait for SSH-2.0
|
||
acl cSSH req.payload(0,7) -m bin 5353482d322e30
|
||
# server-first SSH: https://314es.pl/https-openvpn-and-ssh-on-one-port-thanks-to-haproxy
|
||
acl sSSH req.len eq 0
|
||
|
||
tcp-request content accept if HTTP
|
||
tcp-request content accept if cSSH
|
||
|
||
use_backend ssh if SNI cSSH
|
||
use_backend ssh if SNI sSSH
|
||
use_backend ssh if SNI !HTTP
|
||
default_backend https
|
||
|
||
frontend tls_plus
|
||
bind :444 ssl crt /etc/haproxy/tls.pem
|
||
bind :::444 ssl crt /etc/haproxy/tls.pem
|
||
default_backend https_plus
|
||
|
||
backend ssh
|
||
server ssh 127.0.0.1:22
|
||
timeout server 2h
|
||
|
||
backend http
|
||
server nginx unix@/run/shared_sockets/http.pp send-proxy
|
||
|
||
backend https
|
||
server nginx unix@/run/shared_sockets/https.pp send-proxy
|
||
|
||
backend https_plus
|
||
server nginx unix@/run/shared_sockets/https+.pp send-proxy
|