Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- global
- # maxconn 4096
- user haproxy
- group haproxy
- daemon
- ca-base /etc/ssl
- crt-base /etc/ssl
- stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin
- stats timeout 2m
- defaults
- # maxconn 4096
- # Add x-forwarded-for header.
- timeout connect 5s
- timeout client 30s
- timeout server 30s
- # Long timeout for WebSocket connections.
- timeout tunnel 1h
- frontend public
- bind :80
- mode http
- tcp-request inspect-delay 5s
- tcp-request content accept if HTTP
- use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE
- default_backend openshift_default
- # public ssl accepts all connections and isn't checking certificates yet certificates to use will be
- # determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend
- # that terminates encryption in this router (edge)
- frontend public_ssl
- bind :443
- tcp-request inspect-delay 5s
- tcp-request content accept if { req_ssl_hello_type 1 }
- # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend
- acl sni req.ssl_sni -m found
- acl sni_passthrough req.ssl_sni,map(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found
- use_backend be_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough
- # if the route is SNI and NOT passthrough enter the termination flow
- use_backend be_sni if { req.ssl_sni -m found }
- # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it
- # will not be able to match a cert to an SNI host
- default_backend be_no_sni
- ##########################################################################
- # TLS SNI
- #
- # When using SNI we can terminate encryption with custom certificates.
- # Certs will be stored in a directory and will be matched with the SNI host header
- # which must exist in the CN of the certificate. Certificates must be concatenated
- # as a single file (handled by the plugin writer) per the haproxy documentation.
- #
- # Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted
- # traffic
- ##########################################################################
- backend be_sni
- server fe_sni 127.0.0.1:10444 weight 1 send-proxy
- frontend fe_sni
- # terminate ssl on edge
- bind 127.0.0.1:10444 ssl crt /var/lib/containers/router/certs accept-proxy
- mode http
- # re-ssl?
- acl reencrypt hdr(host),map(/var/lib/haproxy/conf/os_reencrypt.map) -m found
- use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/os_tcp_be.map)] if reencrypt
- # regular http
- use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE
- default_backend openshift_default
- ##########################################################################
- # END TLS SNI
- ##########################################################################
- ##########################################################################
- # TLS NO SNI
- #
- # When we don't have SNI the only thing we can try to do is terminate the encryption
- # using our wild card certificate. Once that is complete we can either re-encrypt
- # the traffic or pass it on to the backends
- ##########################################################################
- # backend for when sni does not exist, or ssl term needs to happen on the edge
- backend be_no_sni
- server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy
- frontend fe_no_sni
- # terminate ssl on edge
- bind 127.0.0.1:10443 ssl crt /var/lib/haproxy/conf/default_pub_keys.pem accept-proxy
- # re-ssl?
- acl reencrypt hdr(host),map(/var/lib/haproxy/conf/os_reencrypt.map) -m found
- use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/os_tcp_be.map)] if reencrypt
- # regular http
- use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE
- default_backend openshift_default
- ##########################################################################
- # END TLS NO SNI
- ##########################################################################
- backend openshift_default
- mode http
- option forwardfor
- #option http-keep-alive
- option http-pretend-keepalive
- server openshift_backend 127.0.0.1:8080
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement