## Automatically generated configuration.# Do not edit this file manually.

1. #
2. # Automatically generated configuration.
3. # Do not edit this file manually.
4. #
5.  
6. global
7. # NOTE: Could be a security issue, but required for some feature.
8. uid 80
9. gid 80
10. chroot /var/haproxy
11. daemon
12. stats socket /var/run/haproxy.socket level admin expose-fd listeners
13. nbproc 1
14. nbthread 1
15. tune.ssl.default-dh-param 2048
16. spread-checks 0
17. tune.chksize 16384
18. tune.bufsize 16384
19. tune.lua.maxmem 0
20. log /var/run/log local0 warning
21. ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
22. ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
23.  
24. defaults
25. log global
26. option redispatch -1
27. timeout client 60s
28. timeout connect 60s
29. timeout server 60s
30. retries 3
31. # WARNING: pass through options below this line
32. timeout http-request 5s
33. option forwardfor
34.  
35.  
36. # Frontend: NVRUIFrontend (Ubiquiti NVR - UI Frontend)
37. frontend NVRUIFrontend
38. http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
39. bind 172.16.66.1:7443 name 172.16.66.1:7443 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5b9424159c7b20.37423090.certlist
40. mode http
41. option http-keep-alive
42. default_backend NVRUIBackend
43. option forwardfor
44. # tuning options
45. timeout client 60s
46.  
47. # logging options
48. option log-separate-errors
49. option httplog
50. # ACL: Gpc0GtZero
51. acl acl_5c5238ebcce876.74865754 src_get_gpc0 gt 0
52.  
53. # NOTE: actions with no ACLs/conditions will always match
54. # ACTION: SetTCPRequestTrackSC1Src
55. tcp-request connection track-sc1 src
56. # ACTION: TCPContentRejectGPC
57. tcp-request content reject if acl_5c5238ebcce876.74865754
58. # ACTION: HTTPRequestDenyGPC
59. http-response deny if acl_5c5238ebcce876.74865754
60.  
61. # WARNING: pass through options below this line
62. tcp-request inspect-delay 10s
63. stick-table type ip size 100k expire 5m store gpc0,http_req_rate(10s),http_err_rate(10s),http_err_cnt
64.  
65. # Frontend: NVRVIDEOFrontend (Ubiquiti NVR - Video Frontend)
66. frontend NVRVIDEOFrontend
67. http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
68. bind 172.16.66.1:7446 name 172.16.66.1:7446 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5b94249be0b644.20239361.certlist
69. mode http
70. option http-keep-alive
71. default_backend NVRVIDEOBackend
72. option forwardfor
73. # tuning options
74. timeout client 60s
75.  
76. # logging options
77. option log-separate-errors
78. option httplog
79. # WARNING: pass through options below this line
80. tcp-request inspect-delay 10s
81. stick-table type ip size 100k expire 1h store gpc0,http_req_rate(10s),http_err_rate(10s),http_err_cnt
82.  
83.  
84. # Backend: NVRUIBackend (Ubiquiti NVR - UI Backend)
85. backend NVRUIBackend
86. # health checking is DISABLED
87. mode http
88. balance source
89. # stickiness
90. stick-table type ip size 50k expire 30m store http_req_rate(10s)
91.  
92. # tuning options
93. timeout connect 60s
94. timeout server 60s
95. # ACL: NVRUIFrontend-HTTPErrorCount
96. acl acl_5c5285ee799c05.54159107 src_http_err_cnt(NVRUIFrontend) ge 10
97. # ACL: NVRUIFrontend-SrcIncGPC
98. acl acl_5c528c17730794.51386104 src_inc_gpc0(NVRUIFrontend) ge 0
99.  
100. # NOTE: actions with no ACLs/conditions will always match
101. # ACTION: ResponseDeleteServerHeader
102. http-response del-header Server
103. # ACTION: NVRUIBackend-BlockOnFrontend
104. http-request deny if acl_5c5285ee799c05.54159107 acl_5c528c17730794.51386104
105.  
106. # WARNING: pass through options below this line
107. tcp-request inspect-delay 10s
108.  
109. # add X-Forwarded-Proto
110. http-request set-header X-Forwarded-Proto https if { ssl_fc }
111.  
112. #force SSL redirect
113. redirect scheme https if !{ ssl_fc }
114.  
115. option http-keep-alive
116.  
117. # add X-FORWARDED-FOR
118. option forwardfor
119.  
120. # Set security headers
121. http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
122.  
123. http-response set-header X-Frame-Options SAMEORIGIN
124.  
125. http-response set-header X-XSS-Protection "1; mode=block"
126.  
127. http-response set-header Referrer-Policy no-referrer-when-downgrade
128.  
129. http-response set-header X-Content-Type-Options nosniff
130.  
131. http-response set-header Content-Security-Policy "default-src https://nvr.foo.bar:7443/; script-src https://nvr.foo.bar:7443/ 'unsafe-inline' 'unsafe-eval'; style-src https://nvr.foo.bar:7443/ 'unsafe-inline'; img-src data: blob: https://nvr.foo.bar:7443/ https://nvr.foo.bar:7446; connect-src wss://nvr.foo.bar:7443/ wss://nvr.foo.bar:7446/ https://nvr.foo.bar:7443/ https://nvr.foo.bar:7446/; media-src blob: https://nvr.foo.bar:7443/ https://nvr.foo.bar:7446/; "
132. http-reuse never
133. server NVRUI unifinvr.foo.bar:7443 ssl verify none
134.  
135. # Backend: NVRVIDEOBackend (Ubiquiti NVR - Video Backend)
136. backend NVRVIDEOBackend
137. # health checking is DISABLED
138. mode http
139. balance source
140. # stickiness
141. stick-table type ip size 50k expire 30m
142.  
143. # tuning options
144. timeout connect 60s
145. timeout server 60s
146.  
147. # NOTE: actions with no ACLs/conditions will always match
148. # ACTION: ResponseDeleteServerHeader
149. http-response del-header Server
150.  
151. # WARNING: pass through options below this line
152. # add X-Forwarded-Proto
153. http-request set-header X-Forwarded-Proto https if { ssl_fc }
154.  
155. #force SSL redirect
156. redirect scheme https if !{ ssl_fc }
157.  
158. option http-keep-alive
159.  
160. # add X-FORWARDED-FOR
161. option forwardfor
162.  
163. # Set security headers
164. http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
165.  
166. http-response set-header X-Frame-Options SAMEORIGIN
167.  
168. http-response set-header X-XSS-Protection "1; mode=block"
169.  
170. http-response set-header Referrer-Policy no-referrer-when-downgrade
171.  
172. http-response set-header X-Content-Type-Options nosniff
173.  
174. http-response set-header Access-Control-Allow-Origin "https://nvr.foo.bar:7443/ https://nvr.foo.bar:7446/"
175.  
176. http-response set-header Content-Security-Policy "default-src 'none'; img-src data: blob: https://nvr.foo.bar:7446/; connect-src wss://nvr.foo.bar:7446/ https://nvr.foo.bar:7446/; media-src blob: https://nvr.foo.bar:7446/; "
177. http-reuse never
178. server NVRVIDEO unifinvr.foo.bar:7446 ssl verify none
179.  
180.  
181. # Backend (DISABLED): Abuse (Abuse Blocking Backend)
182.  
183. listen local_statistics
184. bind 127.0.0.1:8822
185. mode http
186. stats uri /haproxy?stats
187. stats realm HAProxy\ statistics
188. stats admin if TRUE
189.  
190. listen remote_statistics
191. bind 172.16.42.1:8822
192. mode http
193. stats uri /haproxy?stats
194. stats hide-version
195. acl auth_ok http_auth(stats_auth)
196. stats http-request allow if auth_ok
197. stats http-request auth realm HAProxy\ statistics