home-server/roles/dmz_haproxy/templates/haproxy.conf.j2

# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

global
    tune.ssl.default-dh-param  2048
    ssl-default-bind-ciphers   {{tls_ciphers}}
    ssl-default-bind-options   {{tls_options}}
    ssl-default-server-ciphers {{tls_ciphers}}
    ssl-default-server-options {{tls_options}}
    log                        /dev/log local0 info
    pidfile                    /run/haproxy.pid
    daemon

defaults
    mode tcp
    timeout connect    5s
    timeout client     5m
    timeout server     5m
    timeout tunnel     1h
    timeout client-fin 5s
    timeout server-fin 5s
    log     global
    option  logasap
    option  log-separate-errors
    log-format "%ci:%cp [%t] %ft %b[%bi:%bp]/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"

frontend imaps
    bind            :993 ssl crt /etc/haproxy/tls.pem
    default_backend imap

backend imap
    server dovecot {{SafeZone_IP}}:220 send-proxy-v2

frontend text
    bind            :80
    default_backend http

frontend tls
    bind            :443 ssl crt /etc/haproxy/tls.pem

    tcp-request     inspect-delay 2s
    # check SNI for the SSH domain
    acl             SNI ssl_fc_sni -i {{net_subdom_ssh}}.{{net_soa}}
    # client-first SSH: wait for SSH-2.0
    acl             cSSH req.payload(0,7) -m bin 5353482d322e30
    # server-first SSH: https://314es.pl/https-openvpn-and-ssh-on-one-port-thanks-to-haproxy
    acl             sSSH req.len eq 0

    tcp-request     content accept if HTTP
    tcp-request     content accept if cSSH

    use_backend     ssh if SNI cSSH
    use_backend     ssh if SNI sSSH
    use_backend     ssh if SNI !HTTP
    default_backend https

frontend tls_plus
    bind            :444 ssl crt /etc/haproxy/tls.pem
    default_backend https_plus

backend ssh
    server  ssh 127.0.0.1:22
    timeout server 2h

backend http
    server nginx unix@/run/shared_sockets/http.pp send-proxy

backend https
    server nginx unix@/run/shared_sockets/https.pp send-proxy

backend https_plus
    server nginx unix@/run/shared_sockets/https+.pp send-proxy