Manuelle HAProxy Konfiguration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „ =HTTPS Webserver to multiple http Webserver= Simply add the following at the end of /etc/haproxy/haproxy.cfg <pre> frontend ssl_443 bind *:443 ssl crt /path/…“) |
|||
| Zeile 1: | Zeile 1: | ||
| + | =Domaine= | ||
| + | *Letscrypt Wildcard Zertifikate ist vorhanden | ||
| + | *schmeich.de | ||
| − | =HTTPS | + | =HTTPS Proxy mit mehren Webservern= |
| − | |||
<pre> | <pre> | ||
| − | frontend | + | global |
| − | bind | + | 1 log /dev/log local0 |
| − | mode http | + | 2 log /dev/log local1 notice |
| − | http- | + | 3 chroot /var/lib/haproxy |
| − | + | 4 stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
| − | option http-server- | + | 5 stats timeout 30s |
| − | + | 6 user haproxy | |
| − | + | 7 group haproxy | |
| − | backend | + | 8 daemon |
| − | mode http | + | 9 |
| − | balance | + | 10 # Default SSL material locations |
| − | server | + | 11 ca-base /etc/ssl/certs |
| − | server | + | 12 crt-base /etc/ssl/private |
| + | 13 | ||
| + | 14 # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate | ||
| + | 15 ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GC M-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | ||
| + | 16 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | ||
| + | 17 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets | ||
| + | 18 | ||
| + | 19 defaults | ||
| + | 20 log global | ||
| + | 21 mode http | ||
| + | 22 option httplog | ||
| + | 23 option dontlognull | ||
| + | 24 timeout connect 5000 | ||
| + | 25 timeout client 50000 | ||
| + | 26 timeout server 50000 | ||
| + | 27 errorfile 400 /etc/haproxy/errors/400.http | ||
| + | 28 errorfile 403 /etc/haproxy/errors/403.http | ||
| + | 29 errorfile 408 /etc/haproxy/errors/408.http | ||
| + | 30 errorfile 500 /etc/haproxy/errors/500.http | ||
| + | 31 errorfile 502 /etc/haproxy/errors/502.http | ||
| + | 32 errorfile 503 /etc/haproxy/errors/503.http | ||
| + | 33 errorfile 504 /etc/haproxy/errors/504.http | ||
| + | 34 | ||
| + | 35 # Frontend: Public-Service () | ||
| + | 36 frontend Public-Service | ||
| + | 37 bind 194.59.156.165:443 name 194.59.156.165:443 ssl crt /etc/haproxy/ssl/schmeich.pem | ||
| + | 38 mode http | ||
| + | 39 option http-keep-alive | ||
| + | 40 option forwardfor | ||
| + | 41 timeout client 30s | ||
| + | 42 acl acl_hertha hdr_beg(host) -i hertha | ||
| + | 43 acl acl_maria hdr_beg(host) -i maria | ||
| + | 44 use_backend hertha_backend if acl_hertha | ||
| + | 45 use_backend maria_backend if acl_maria | ||
| + | 46 | ||
| + | 47 frontend Public-Service-Http | ||
| + | 48 bind 194.59.156.165:80 name 194.59.156.165:80 | ||
| + | 49 mode http | ||
| + | 50 option http-keep-alive | ||
| + | 51 option forwardfor | ||
| + | 52 timeout client 30s | ||
| + | 17 timeout server 30s | ||
| + | 16 http-reuse safe | ||
| + | 15 #server hertha 10.82.228.11:443 ssl verify none | ||
| + | 14 server hertha 10.82.228.11:80 | ||
| + | 13 | ||
| + | 12 | ||
| + | 11 backend maria_backend | ||
| + | 10 mode http | ||
| + | 9 balance source | ||
| + | 8 stick-table type ip size 50k expire 30m | ||
| + | 7 stick on src | ||
| + | 6 timeout connect 30s | ||
| + | 4 http-reuse safe | ||
| + | 3 #server maria 10.82.228.12:443 ssl verify none | ||
| + | 2 server maria 10.82.228.12:80 | ||
</pre> | </pre> | ||
Version vom 6. September 2022, 17:56 Uhr
Domaine
- Letscrypt Wildcard Zertifikate ist vorhanden
- schmeich.de
HTTPS Proxy mit mehren Webservern
global 1 log /dev/log local0 2 log /dev/log local1 notice 3 chroot /var/lib/haproxy 4 stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners 5 stats timeout 30s 6 user haproxy 7 group haproxy 8 daemon 9 10 # Default SSL material locations 11 ca-base /etc/ssl/certs 12 crt-base /etc/ssl/private 13 14 # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate 15 ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GC M-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 16 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 17 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets 18 19 defaults 20 log global 21 mode http 22 option httplog 23 option dontlognull 24 timeout connect 5000 25 timeout client 50000 26 timeout server 50000 27 errorfile 400 /etc/haproxy/errors/400.http 28 errorfile 403 /etc/haproxy/errors/403.http 29 errorfile 408 /etc/haproxy/errors/408.http 30 errorfile 500 /etc/haproxy/errors/500.http 31 errorfile 502 /etc/haproxy/errors/502.http 32 errorfile 503 /etc/haproxy/errors/503.http 33 errorfile 504 /etc/haproxy/errors/504.http 34 35 # Frontend: Public-Service () 36 frontend Public-Service 37 bind 194.59.156.165:443 name 194.59.156.165:443 ssl crt /etc/haproxy/ssl/schmeich.pem 38 mode http 39 option http-keep-alive 40 option forwardfor 41 timeout client 30s 42 acl acl_hertha hdr_beg(host) -i hertha 43 acl acl_maria hdr_beg(host) -i maria 44 use_backend hertha_backend if acl_hertha 45 use_backend maria_backend if acl_maria 46 47 frontend Public-Service-Http 48 bind 194.59.156.165:80 name 194.59.156.165:80 49 mode http 50 option http-keep-alive 51 option forwardfor 52 timeout client 30s 17 timeout server 30s 16 http-reuse safe 15 #server hertha 10.82.228.11:443 ssl verify none 14 server hertha 10.82.228.11:80 13 12 11 backend maria_backend 10 mode http 9 balance source 8 stick-table type ip size 50k expire 30m 7 stick on src 6 timeout connect 30s 4 http-reuse safe 3 #server maria 10.82.228.12:443 ssl verify none 2 server maria 10.82.228.12:80
pem layout
- cat certificate.crt intermediates.pem private.key > ssl-certs.pem
bind *:443 ssl crt /path/to/cert/ssl-certs.pem
letsencrypt cert
Works a bit differently as seen in https://gridscale.io/community/tutorials/haproxy-ssl/