Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # Automatically generated configuration.
- # Do not edit this file manually.
- #
- global
- # NOTE: Could be a security issue, but required for some feature.
- uid 80
- gid 80
- chroot /var/haproxy
- daemon
- stats socket /var/run/haproxy.socket level admin expose-fd listeners
- nbproc 1
- nbthread 1
- tune.ssl.default-dh-param 2048
- spread-checks 0
- tune.chksize 16384
- tune.bufsize 16384
- tune.lua.maxmem 0
- log /var/run/log local0 warning
- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
- ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
- defaults
- log global
- option redispatch -1
- timeout client 60s
- timeout connect 60s
- timeout server 60s
- retries 3
- # WARNING: pass through options below this line
- timeout http-request 5s
- option forwardfor
- # Frontend: NVRUIFrontend (Ubiquiti NVR - UI Frontend)
- frontend NVRUIFrontend
- http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
- bind 172.16.66.1:7443 name 172.16.66.1:7443 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5b9424159c7b20.37423090.certlist
- mode http
- option http-keep-alive
- default_backend NVRUIBackend
- option forwardfor
- # tuning options
- timeout client 60s
- # logging options
- option log-separate-errors
- option httplog
- # ACL: Gpc0GtZero
- acl acl_5c5238ebcce876.74865754 src_get_gpc0 gt 0
- # NOTE: actions with no ACLs/conditions will always match
- # ACTION: SetTCPRequestTrackSC1Src
- tcp-request connection track-sc1 src
- # ACTION: TCPContentRejectGPC
- tcp-request content reject if acl_5c5238ebcce876.74865754
- # ACTION: HTTPRequestDenyGPC
- http-response deny if acl_5c5238ebcce876.74865754
- # WARNING: pass through options below this line
- tcp-request inspect-delay 10s
- stick-table type ip size 100k expire 5m store gpc0,http_req_rate(10s),http_err_rate(10s),http_err_cnt
- # Frontend: NVRVIDEOFrontend (Ubiquiti NVR - Video Frontend)
- frontend NVRVIDEOFrontend
- http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
- bind 172.16.66.1:7446 name 172.16.66.1:7446 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5b94249be0b644.20239361.certlist
- mode http
- option http-keep-alive
- default_backend NVRVIDEOBackend
- option forwardfor
- # tuning options
- timeout client 60s
- # logging options
- option log-separate-errors
- option httplog
- # WARNING: pass through options below this line
- tcp-request inspect-delay 10s
- stick-table type ip size 100k expire 1h store gpc0,http_req_rate(10s),http_err_rate(10s),http_err_cnt
- # Backend: NVRUIBackend (Ubiquiti NVR - UI Backend)
- backend NVRUIBackend
- # health checking is DISABLED
- mode http
- balance source
- # stickiness
- stick-table type ip size 50k expire 30m store http_req_rate(10s)
- # tuning options
- timeout connect 60s
- timeout server 60s
- # ACL: NVRUIFrontend-HTTPErrorCount
- acl acl_5c5285ee799c05.54159107 src_http_err_cnt(NVRUIFrontend) ge 10
- # ACL: NVRUIFrontend-SrcIncGPC
- acl acl_5c528c17730794.51386104 src_inc_gpc0(NVRUIFrontend) ge 0
- # NOTE: actions with no ACLs/conditions will always match
- # ACTION: ResponseDeleteServerHeader
- http-response del-header Server
- # ACTION: NVRUIBackend-BlockOnFrontend
- http-request deny if acl_5c5285ee799c05.54159107 acl_5c528c17730794.51386104
- # WARNING: pass through options below this line
- tcp-request inspect-delay 10s
- # add X-Forwarded-Proto
- http-request set-header X-Forwarded-Proto https if { ssl_fc }
- #force SSL redirect
- redirect scheme https if !{ ssl_fc }
- option http-keep-alive
- # add X-FORWARDED-FOR
- option forwardfor
- # Set security headers
- http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
- http-response set-header X-Frame-Options SAMEORIGIN
- http-response set-header X-XSS-Protection "1; mode=block"
- http-response set-header Referrer-Policy no-referrer-when-downgrade
- http-response set-header X-Content-Type-Options nosniff
- http-response set-header Content-Security-Policy "default-src https://nvr.foo.bar:7443/; script-src https://nvr.foo.bar:7443/ 'unsafe-inline' 'unsafe-eval'; style-src https://nvr.foo.bar:7443/ 'unsafe-inline'; img-src data: blob: https://nvr.foo.bar:7443/ https://nvr.foo.bar:7446; connect-src wss://nvr.foo.bar:7443/ wss://nvr.foo.bar:7446/ https://nvr.foo.bar:7443/ https://nvr.foo.bar:7446/; media-src blob: https://nvr.foo.bar:7443/ https://nvr.foo.bar:7446/; "
- http-reuse never
- server NVRUI unifinvr.foo.bar:7443 ssl verify none
- # Backend: NVRVIDEOBackend (Ubiquiti NVR - Video Backend)
- backend NVRVIDEOBackend
- # health checking is DISABLED
- mode http
- balance source
- # stickiness
- stick-table type ip size 50k expire 30m
- # tuning options
- timeout connect 60s
- timeout server 60s
- # NOTE: actions with no ACLs/conditions will always match
- # ACTION: ResponseDeleteServerHeader
- http-response del-header Server
- # WARNING: pass through options below this line
- # add X-Forwarded-Proto
- http-request set-header X-Forwarded-Proto https if { ssl_fc }
- #force SSL redirect
- redirect scheme https if !{ ssl_fc }
- option http-keep-alive
- # add X-FORWARDED-FOR
- option forwardfor
- # Set security headers
- http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
- http-response set-header X-Frame-Options SAMEORIGIN
- http-response set-header X-XSS-Protection "1; mode=block"
- http-response set-header Referrer-Policy no-referrer-when-downgrade
- http-response set-header X-Content-Type-Options nosniff
- http-response set-header Access-Control-Allow-Origin "https://nvr.foo.bar:7443/ https://nvr.foo.bar:7446/"
- http-response set-header Content-Security-Policy "default-src 'none'; img-src data: blob: https://nvr.foo.bar:7446/; connect-src wss://nvr.foo.bar:7446/ https://nvr.foo.bar:7446/; media-src blob: https://nvr.foo.bar:7446/; "
- http-reuse never
- server NVRVIDEO unifinvr.foo.bar:7446 ssl verify none
- # Backend (DISABLED): Abuse (Abuse Blocking Backend)
- listen local_statistics
- bind 127.0.0.1:8822
- mode http
- stats uri /haproxy?stats
- stats realm HAProxy\ statistics
- stats admin if TRUE
- listen remote_statistics
- bind 172.16.42.1:8822
- mode http
- stats uri /haproxy?stats
- stats hide-version
- acl auth_ok http_auth(stats_auth)
- stats http-request allow if auth_ok
- stats http-request auth realm HAProxy\ statistics
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement