74 lines
2.2 KiB
Django/Jinja
74 lines
2.2 KiB
Django/Jinja
# The home-server project produces a multi-purpose setup using Ansible.
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
ssl-default-bind-ciphers {{tls_ciphers}}
|
|
ssl-default-bind-options {{tls_options}}
|
|
ssl-default-server-ciphers {{tls_ciphers}}
|
|
ssl-default-server-options {{tls_options}}
|
|
log /dev/log local0 info
|
|
pidfile /run/haproxy.pid
|
|
daemon
|
|
|
|
defaults
|
|
mode tcp
|
|
timeout connect 5s
|
|
timeout client 5m
|
|
timeout server 5m
|
|
timeout tunnel 1h
|
|
timeout client-fin 5s
|
|
timeout server-fin 5s
|
|
log global
|
|
option logasap
|
|
option log-separate-errors
|
|
log-format "%ci:%cp [%t] %ft %b[%bi:%bp]/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
|
|
|
|
frontend imaps
|
|
bind :993 ssl crt /etc/haproxy/tls.pem
|
|
default_backend imap
|
|
|
|
backend imap
|
|
server dovecot {{SafeZone_IP}}:220 send-proxy-v2
|
|
|
|
frontend text
|
|
bind :80
|
|
default_backend http
|
|
|
|
frontend tls
|
|
bind :443 ssl crt /etc/haproxy/tls.pem
|
|
|
|
tcp-request inspect-delay 2s
|
|
# check SNI for the SSH domain
|
|
acl SNI ssl_fc_sni -i {{net_subdom_ssh}}.{{net_soa}}
|
|
# client-first SSH: wait for SSH-2.0
|
|
acl cSSH req.payload(0,7) -m bin 5353482d322e30
|
|
# server-first SSH: https://314es.pl/https-openvpn-and-ssh-on-one-port-thanks-to-haproxy
|
|
acl sSSH req.len eq 0
|
|
|
|
tcp-request content accept if HTTP
|
|
tcp-request content accept if cSSH
|
|
|
|
use_backend ssh if SNI cSSH
|
|
use_backend ssh if SNI sSSH
|
|
use_backend ssh if SNI !HTTP
|
|
default_backend https
|
|
|
|
frontend tls_plus
|
|
bind :444 ssl crt /etc/haproxy/tls.pem
|
|
default_backend https_plus
|
|
|
|
backend ssh
|
|
server ssh 127.0.0.1:22
|
|
timeout server 2h
|
|
|
|
backend http
|
|
server nginx unix@/run/shared_sockets/http.pp send-proxy
|
|
|
|
backend https
|
|
server nginx unix@/run/shared_sockets/https.pp send-proxy
|
|
|
|
backend https_plus
|
|
server nginx unix@/run/shared_sockets/https+.pp send-proxy
|