pages-server/haproxy-sni/haproxy.cfg
Moritz Marquardt 76e5d8e77c
Add TODOs
2021-12-05 14:48:37 +01:00

100 lines
4.0 KiB
INI

#####################################
## Global Configuration & Defaults ##
#####################################
global
log stderr format iso local7
# generated 2021-06-05, Mozilla Guideline v5.6, HAProxy 2.1, OpenSSL 1.1.1d, intermediate configuration
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.1d&guideline=5.6
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl-dh-param-file /etc/ssl/dhparam.pem
defaults
log global
timeout connect 30000
timeout check 300000
timeout client 300000
timeout server 300000
############################################################################
## Frontends: HTTP; HTTPS → HTTPS SNI-based; HTTPS → HTTP(S) header-based ##
############################################################################
frontend http_redirect_frontend
# HTTP backend to redirect everything to HTTPS
bind :::80 v4v6
mode http
http-request redirect scheme https
frontend https_sni_frontend
# TCP backend to forward to HTTPS backends based on SNI
bind :::443 v4v6
mode tcp
# Wait up to 5s for a SNI header & only accept TLS connections
tcp-request inspect-delay 5s
tcp-request content capture req.ssl_sni len 255
log-format "%ci:%cp -> %[capture.req.hdr(0)] @ %f (%fi:%fp) -> %b (%bi:%bp)"
tcp-request content accept if { req.ssl_hello_type 1 }
###################################################
## Rules: forward to HTTPS(S) header-based rules ##
###################################################
acl use_http_backend req.ssl_sni -i "codeberg.org"
acl use_http_backend req.ssl_sni -i "join.codeberg.org"
# TODO: use this if no SNI exists
use_backend https_termination_backend if use_http_backend
############################
## Rules: HTTPS SNI-based ##
############################
# use_backend xyz_backend if { req.ssl_sni -i "xyz" }
default_backend pages_backend
frontend https_termination_frontend
# Terminate TLS for HTTP backends
bind /tmp/haproxy-tls-termination.sock accept-proxy ssl strict-sni alpn h2,http/1.1 crt /etc/ssl/private/haproxy/
mode http
# HSTS (63072000 seconds)
http-response set-header Strict-Transport-Security max-age=63072000
http-request capture req.hdr(Host) len 255
log-format "%ci:%cp -> %[capture.req.hdr(0)] @ %f (%fi:%fp) -> %b (%bi:%bp)"
##################################
## Rules: HTTPS(S) header-based ##
##################################
use_backend gitea_backend if { hdr(host) -i codeberg.org }
backend https_termination_backend
# Redirect to the terminating HTTPS frontend for all HTTP backends
server https_termination_server /tmp/haproxy-tls-termination.sock send-proxy-v2-ssl-cn
mode tcp
###############################
## Backends: HTTPS SNI-based ##
###############################
backend pages_backend
# Pages server is a HTTP backend that uses its own certificates for custom domains
server pages_server pages:443
mode tcp
####################################
## Backends: HTTP(S) header-based ##
####################################
backend gitea_backend
server gitea_server gitea:80
mode http