yves
/
home-server
1
0
Fork 0
Code Issues 8 Pull Requests Releases Wiki Activity
home-server/roles/dmz_haproxy/templates/haproxy.conf.j2

78 lines
2.4 KiB
Django/Jinja
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
global
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers {{tls_ciphers}}
ssl-default-bind-options {{tls_options}}
ssl-default-server-ciphers {{tls_ciphers}}
ssl-default-server-options {{tls_options}}
log /dev/log local0 info
pidfile /run/haproxy.pid
daemon
defaults
mode tcp
timeout connect 5s
timeout client 5m
timeout server 5m
timeout tunnel 1h
timeout client-fin 5s
timeout server-fin 5s
log global
option logasap
option log-separate-errors
log-format "%ci:%cp [%t] %ft %b[%bi:%bp]/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
frontend imaps
bind :993 ssl crt /etc/haproxy/tls.pem
bind :::993 ssl crt /etc/haproxy/tls.pem
default_backend imap
backend imap
server dovecot {{SafeZone_IP}}:220 send-proxy-v2
frontend text
bind :80
bind :::80
default_backend http
frontend tls
bind :443 ssl crt /etc/haproxy/tls.pem
bind :::443 ssl crt /etc/haproxy/tls.pem
tcp-request inspect-delay 2s
# check SNI for the SSH domain
acl SNI ssl_fc_sni -i {{net_subdom_ssh}}.{{net_soa}}
# client-first SSH: wait for SSH-2.0
acl cSSH req.payload(0,7) -m bin 5353482d322e30
# server-first SSH: https://314es.pl/https-openvpn-and-ssh-on-one-port-thanks-to-haproxy
acl sSSH req.len eq 0
tcp-request content accept if HTTP
tcp-request content accept if cSSH
use_backend ssh if SNI cSSH
use_backend ssh if SNI sSSH
use_backend ssh if SNI !HTTP
default_backend https
frontend tls_plus
bind :444 ssl crt /etc/haproxy/tls.pem
bind :::444 ssl crt /etc/haproxy/tls.pem
default_backend https_plus
backend ssh
server ssh 127.0.0.1:22
timeout server 2h
backend http
server nginx unix@/run/shared_sockets/http.pp send-proxy
backend https
server nginx unix@/run/shared_sockets/https.pp send-proxy
backend https_plus
server nginx unix@/run/shared_sockets/https+.pp send-proxy
Reference in New Issue View Git Blame Copy Permalink