Manuelle HAProxy Konfiguration

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Domaine

  • Letscrypt Wildcard Zertifikate ist vorhanden
  • schmeich.de


HTTPS Proxy mit mehren Webservern

global
	log /dev/log	local0 
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA
-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

# Frontend: Public-Service ()
frontend Public-Service
    bind 194.59.156.165:443 name 194.59.156.165:443 ssl  crt /etc/haproxy/ssl/schmeich.pem
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 30s
    acl acl_hertha hdr_beg(host)  -i hertha
    acl acl_maria hdr_beg(host)  -i maria
    use_backend hertha_backend if acl_hertha
    use_backend maria_backend  if acl_maria

frontend Public-Service-Http
    bind 194.59.156.165:80 name 194.59.156.165:80
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 30s
   acl acl_http req.proto_http
    http-request redirect code 301 scheme https if acl_http

backend hertha_backend
    mode http
    balance source
    stick-table type ip size 50k expire 30m
    stick on src
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    #server hertha 10.82.228.11:443 ssl verify none
    server hertha 10.82.228.11:80


backend maria_backend
    mode http
    balance source
    stick-table type ip size 50k expire 30m
    stick on src
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    #server maria 10.82.228.12:443

pem layout

  • cat certificate.crt intermediates.pem private.key > ssl-certs.pem

bind *:443 ssl crt /path/to/cert/ssl-certs.pem

letsencrypt cert

Works a bit differently as seen in https://gridscale.io/community/tutorials/haproxy-ssl/

sources

Abgerufen von „http://wiki.ixheim.de/index.php?title=Manuelle_HAProxy_Konfiguration&oldid=34667