SHARE
TWEET

Untitled

a guest Feb 6th, 2020 25 in 15 days
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. global
  2.     log /dev/log    local0
  3.     log /dev/log    local1 notice
  4.     chroot /var/lib/haproxy
  5.     stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  6.     stats timeout 30s
  7.     user haproxy
  8.     group haproxy
  9.     daemon
  10.  
  11.     # Default SSL material locations
  12.     ca-base /etc/ssl/certs
  13.     crt-base /etc/ssl/private
  14.  
  15.     # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
  16.         ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  17.         ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  18.         ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  19.         ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!aNULL:!MD5:!DSS
  20.         ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
  21.  
  22.     ssl-dh-param-file /etc/haproxy/dhparam.pem
  23.     tune.ssl.default-dh-param 2048
  24.     maxconn 2048
  25.  
  26. defaults
  27.     log global
  28.     mode    http
  29.     option  httplog
  30.     option  dontlognull
  31.         timeout connect 5000
  32.         timeout client  50000
  33.         timeout server  50000
  34.         option forwardfor
  35.     errorfile 400 /etc/haproxy/errors/400.http
  36.     errorfile 403 /etc/haproxy/errors/403.http
  37.     errorfile 408 /etc/haproxy/errors/408.http
  38.     errorfile 500 /etc/haproxy/errors/500.http
  39.     errorfile 502 /etc/haproxy/errors/502.http
  40.     errorfile 503 /etc/haproxy/errors/503.http
  41.     errorfile 504 /etc/haproxy/errors/504.http
  42.  
  43. frontend stats
  44.          bind :4545
  45.          # Enable Prometheus Exporter
  46.          http-request use-service prometheus-exporter if { path /metrics }
  47.          stats enable
  48.          stats hide-version
  49.          stats auth admin:123456789
  50.          stats uri /stats
  51.          stats refresh 10s
  52.  
  53. frontend http-in
  54.         bind *:80
  55.         # Redirect all HTTP traffic to HTTPS when SSL is handled by haproxy.
  56.         redirect scheme https code 301 if !{ ssl_fc }
  57.  
  58. frontend fe_main
  59.         mode tcp
  60.         option  tcplog
  61.         bind *:443
  62.         tcp-request inspect-delay 5s
  63.         tcp-request content capture req.ssl_sni len 10
  64.         log-format "capture0: %[capture.req.hdr(0)]"
  65.         tcp-request content accept if { req.ssl_hello_type 1  }
  66.         use_backend verify_loopback if { req.ssl_sni -i dev.example.com }
  67.         default_backend normal_loopback
  68.  
  69. backend verify_loopback
  70.     mode tcp
  71.     server loopback-for-tls abns@haproxy-clientcert send-proxy-v2
  72. backend normal_loopback
  73.     mode tcp
  74.     server loopback-for-tls abns@haproxy-default send-proxy-v2
  75.  
  76.  
  77. frontend fe-ssl-clientcert
  78.     mode http
  79.     bind abns@haproxy-clientcert accept-proxy ssl crt /etc/haproxy/certs ca-file /etc/haproxy/certs/verify_certs/ca.pem verify optional crt-ignore-err all
  80.     log-format "capture1: ssl_fc %{+Q}[ssl_fc], ssl_c_used %{+Q}[ssl_c_used], ssl_fc_has_crt %{+Q}[ssl_fc_has_crt], ssl_c_verify %{+Q}[ssl_c_verify], ssl_c_i_dn %{+Q}[ssl_c_i_dn]"
  81.     # Use be_main as backend
  82.     default_backend be_main
  83. frontend fe-ssl-default
  84.     mode http
  85.     bind abns@haproxy-default accept-proxy ssl crt /etc/haproxy/certs alpn h2,http/1.1
  86.     # Use be_main as backend
  87.     default_backend be_main
  88.  
  89.  
  90. backend be_main
  91.         mode http
  92.         #It is not needed when send-proxy is enabled
  93.         #option forwardfor
  94.         option httpchk HEAD / HTTP/1.1rnHost:localhost
  95.         # Use the http endpoint of kubernetes
  96.         server example.com  127.0.0.1:32361 send-proxy
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top