API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 30th, 2015
167
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.25 KB | None | 0 0
raw download clone embed print report
  1. global
  2. # maxconn 4096
  3. user haproxy
  4. group haproxy
  5. daemon
  6. ca-base /etc/ssl
  7. crt-base /etc/ssl
  8. stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin
  9. stats timeout 2m
  10.  
  11. defaults
  12. # maxconn 4096
  13. # Add x-forwarded-for header.
  14. timeout connect 5s
  15. timeout client 30s
  16. timeout server 30s
  17. # Long timeout for WebSocket connections.
  18. timeout tunnel 1h
  19.  
  20. frontend public
  21. bind :80
  22. mode http
  23. tcp-request inspect-delay 5s
  24. tcp-request content accept if HTTP
  25.  
  26. use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE
  27. default_backend openshift_default
  28.  
  29. # public ssl accepts all connections and isn't checking certificates yet certificates to use will be
  30. # determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend
  31. # that terminates encryption in this router (edge)
  32. frontend public_ssl
  33. bind :443
  34. tcp-request inspect-delay 5s
  35. tcp-request content accept if { req_ssl_hello_type 1 }
  36.  
  37. # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend
  38. acl sni req.ssl_sni -m found
  39. acl sni_passthrough req.ssl_sni,map(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found
  40. use_backend be_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough
  41.  
  42. # if the route is SNI and NOT passthrough enter the termination flow
  43. use_backend be_sni if { req.ssl_sni -m found }
  44.  
  45. # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it
  46. # will not be able to match a cert to an SNI host
  47. default_backend be_no_sni
  48.  
  49. ##########################################################################
  50. # TLS SNI
  51. #
  52. # When using SNI we can terminate encryption with custom certificates.
  53. # Certs will be stored in a directory and will be matched with the SNI host header
  54. # which must exist in the CN of the certificate. Certificates must be concatenated
  55. # as a single file (handled by the plugin writer) per the haproxy documentation.
  56. #
  57. # Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted
  58. # traffic
  59. ##########################################################################
  60. backend be_sni
  61. server fe_sni 127.0.0.1:10444 weight 1 send-proxy
  62.  
  63. frontend fe_sni
  64. # terminate ssl on edge
  65. bind 127.0.0.1:10444 ssl crt /var/lib/containers/router/certs accept-proxy
  66. mode http
  67.  
  68. # re-ssl?
  69. acl reencrypt hdr(host),map(/var/lib/haproxy/conf/os_reencrypt.map) -m found
  70. use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/os_tcp_be.map)] if reencrypt
  71.  
  72. # regular http
  73. use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE
  74.  
  75. default_backend openshift_default
  76.  
  77. ##########################################################################
  78. # END TLS SNI
  79. ##########################################################################
  80.  
  81. ##########################################################################
  82. # TLS NO SNI
  83. #
  84. # When we don't have SNI the only thing we can try to do is terminate the encryption
  85. # using our wild card certificate. Once that is complete we can either re-encrypt
  86. # the traffic or pass it on to the backends
  87. ##########################################################################
  88. # backend for when sni does not exist, or ssl term needs to happen on the edge
  89. backend be_no_sni
  90. server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy
  91.  
  92. frontend fe_no_sni
  93. # terminate ssl on edge
  94. bind 127.0.0.1:10443 ssl crt /var/lib/haproxy/conf/default_pub_keys.pem accept-proxy
  95.  
  96. # re-ssl?
  97. acl reencrypt hdr(host),map(/var/lib/haproxy/conf/os_reencrypt.map) -m found
  98. use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/os_tcp_be.map)] if reencrypt
  99.  
  100. # regular http
  101. use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE
  102.  
  103. default_backend openshift_default
  104.  
  105. ##########################################################################
  106. # END TLS NO SNI
  107. ##########################################################################
  108.  
  109. backend openshift_default
  110. mode http
  111. option forwardfor
  112. #option http-keep-alive
  113. option http-pretend-keepalive
  114. server openshift_backend 127.0.0.1:8080
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!