Skip to content

Instantly share code, notes, and snippets.

@jacob-pro

jacob-pro/haproxy.cfg

Last active December 20, 2020 11:39
Show Gist options
  • Save jacob-pro/6f533762316436f881b17b777204336a to your computer and use it in GitHub Desktop.
Save jacob-pro/6f533762316436f881b17b777204336a to your computer and use it in GitHub Desktop.
Download ZIP
HAProxy config for both TCP and HTTP backends on port 443 (Reverse proxy)
Raw
haproxy.cfg
global
daemon
# https://ssl-config.mozilla.org
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-dh-param-file /usr/local/etc/haproxy/ssl-dhparams.pem
log stdout format raw local0
defaults
mode http
timeout connect 5000
timeout client 50000
timeout server 50000
option forwardfor
log global
option httplog
resolvers docker
nameserver dns 127.0.0.11:53
frontend tcp_in
bind :::443 v4v6 # Bind to 443 on all addresses
mode tcp # Pass through mode
option clitcpka # Enable TCP keep alive packets on the client
# SNI Inspection
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# Match TCP backends
use_backend rds_tcp if { req_ssl_sni -i rds.contoso.com }
use_backend mail_tcp if { req_ssl_sni -i mail.contoso.com autodiscover.contoso.com }
# Everything else
default_backend bk_tcp_to_https
# Microsoft Remote desktop gateway
backend rds_tcp
mode tcp
option srvtcpka # Enable TCP keepalive packets on the server side
server dc1 10.2.10.8:443
# Microsoft Exchange Server
backend mail_tcp
mode tcp
option srvtcpka # Enable TCP keepalive packets on the server side
server mail 10.2.10.3:443
# send-proxy and accept-proxy to forward real source IP info
backend bk_tcp_to_https
mode tcp
server haproxy-https 127.0.0.1:8443 check send-proxy-v2
# Terminate SSL at HAProxy (requires certificates)
frontend https_in
bind *:8443 ssl crt /etc/letsencrypt/haproxy accept-proxy alpn h2,http/1.1
http-request set-header X-Forwarded-Proto https
# Match HTTP backends
use_backend container1 if { hdr(host) -i container1.contoso.com }
use_backend container2 if { hdr(host) -i container1.contoso.com }
backend container1
server container1 service.network1_default:3000 check init-addr none resolvers docker
backend container2
server container2 service.network2_default:9000 check init-addr none resolvers docker
frontend http_in
bind :::80 v4v6
acl letsencrypt path_beg /.well-known/acme-challenge/
# Redirect everything to HTTPS, except for Letsencrypt
redirect scheme https code 301 if !letsencrypt
# Allow the TCP backends to also use Letsencrypt paths over HTTP
use_backend rds_http if { hdr(host) -i rds.contoso.com } letsencrypt
use_backend mail_http if { hdr(host) -i mail.contoso.com autodiscover.contoso.com } letsencrypt
use_backend letsencrypt if letsencrypt
backend rds_http
server dc1 10.2.10.8:80
backend mail_http
server mail 10.2.10.3:80
backend letsencrypt
server certbot 172.16.238.10:80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment