Manuelle HAProxy Konfiguration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 7: | Zeile 7: | ||
<pre> | <pre> | ||
global | global | ||
| − | + | log /dev/log local0 | |
| − | + | log /dev/log local1 notice | |
| − | + | chroot /var/lib/haproxy | |
| − | + | stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
| − | + | stats timeout 30s | |
| − | + | user haproxy | |
| − | + | group haproxy | |
| − | + | daemon | |
| − | + | ||
| − | + | # Default SSL material locations | |
| − | + | ca-base /etc/ssl/certs | |
| − | + | crt-base /etc/ssl/private | |
| − | + | ||
| − | + | # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate | |
| − | + | ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA | |
| − | + | -AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
| − | + | ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | |
| − | + | ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets | |
| − | + | ||
| − | + | defaults | |
| − | + | log global | |
| − | + | mode http | |
| − | + | option httplog | |
| − | + | option dontlognull | |
| − | + | timeout connect 5000 | |
| − | + | timeout client 50000 | |
| − | + | timeout server 50000 | |
| − | + | errorfile 400 /etc/haproxy/errors/400.http | |
| − | + | errorfile 403 /etc/haproxy/errors/403.http | |
| − | + | errorfile 408 /etc/haproxy/errors/408.http | |
| − | + | errorfile 500 /etc/haproxy/errors/500.http | |
| − | + | errorfile 502 /etc/haproxy/errors/502.http | |
| − | + | errorfile 503 /etc/haproxy/errors/503.http | |
| − | + | errorfile 504 /etc/haproxy/errors/504.http | |
| − | + | ||
| − | + | # Frontend: Public-Service () | |
| − | + | frontend Public-Service | |
| − | + | bind 194.59.156.165:443 name 194.59.156.165:443 ssl crt /etc/haproxy/ssl/schmeich.pem | |
| − | + | mode http | |
| − | + | option http-keep-alive | |
| − | + | option forwardfor | |
| − | + | timeout client 30s | |
| − | + | acl acl_hertha hdr_beg(host) -i hertha | |
| − | + | acl acl_maria hdr_beg(host) -i maria | |
| − | + | use_backend hertha_backend if acl_hertha | |
| − | + | use_backend maria_backend if acl_maria | |
| − | + | ||
| − | + | frontend Public-Service-Http | |
| − | + | bind 194.59.156.165:80 name 194.59.156.165:80 | |
| − | + | mode http | |
| − | + | option http-keep-alive | |
| − | + | option forwardfor | |
| − | + | timeout client 30s | |
| − | + | acl acl_http req.proto_http | |
| − | + | http-request redirect code 301 scheme https if acl_http | |
| − | + | ||
| − | + | backend hertha_backend | |
| − | + | mode http | |
| − | + | balance source | |
| − | + | stick-table type ip size 50k expire 30m | |
| − | + | stick on src | |
| − | + | timeout connect 30s | |
| − | + | timeout server 30s | |
| − | + | http-reuse safe | |
| − | + | #server hertha 10.82.228.11:443 ssl verify none | |
| − | + | server hertha 10.82.228.11:80 | |
| − | + | ||
| + | |||
| + | backend maria_backend | ||
| + | mode http | ||
| + | balance source | ||
| + | stick-table type ip size 50k expire 30m | ||
| + | stick on src | ||
| + | timeout connect 30s | ||
| + | timeout server 30s | ||
| + | http-reuse safe | ||
| + | #server maria 10.82.228.12:443 | ||
</pre> | </pre> | ||
Version vom 6. September 2022, 18:02 Uhr
Domaine
- Letscrypt Wildcard Zertifikate ist vorhanden
- schmeich.de
HTTPS Proxy mit mehren Webservern
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA
-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Frontend: Public-Service ()
frontend Public-Service
bind 194.59.156.165:443 name 194.59.156.165:443 ssl crt /etc/haproxy/ssl/schmeich.pem
mode http
option http-keep-alive
option forwardfor
timeout client 30s
acl acl_hertha hdr_beg(host) -i hertha
acl acl_maria hdr_beg(host) -i maria
use_backend hertha_backend if acl_hertha
use_backend maria_backend if acl_maria
frontend Public-Service-Http
bind 194.59.156.165:80 name 194.59.156.165:80
mode http
option http-keep-alive
option forwardfor
timeout client 30s
acl acl_http req.proto_http
http-request redirect code 301 scheme https if acl_http
backend hertha_backend
mode http
balance source
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-reuse safe
#server hertha 10.82.228.11:443 ssl verify none
server hertha 10.82.228.11:80
backend maria_backend
mode http
balance source
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-reuse safe
#server maria 10.82.228.12:443
pem layout
- cat certificate.crt intermediates.pem private.key > ssl-certs.pem
bind *:443 ssl crt /path/to/cert/ssl-certs.pem
letsencrypt cert
Works a bit differently as seen in https://gridscale.io/community/tutorials/haproxy-ssl/