Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #---------------------------------------------------------------------
- # Global settings
- #---------------------------------------------------------------------
- global
- #log 127.0.0.1 local2 debug #Log configuration
- log /dev/log local0 info
- log /dev/log local0 notice
- debug
- chroot /var/lib/haproxy
- pidfile /var/run/haproxy.pid
- maxconn 4000
- nbproc 2
- cpu-map 1 0
- cpu-map 2 1
- user haproxy #Haproxy running under user and group "haproxy"
- group haproxy
- daemon
- # turn on stats unix socket
- stats socket /var/lib/haproxy/stats
- #---------------------------------------------------------------------
- # common defaults that all the 'listen' and 'backend' sections will
- # use if not designated in their block
- #---------------------------------------------------------------------
- defaults
- mode http
- log global
- option httplog
- option dontlognull
- option http-server-close
- option http-buffer-request
- option forwardfor
- option http-server-close
- option redispatch
- retries 3
- timeout http-request 10s
- timeout queue 1m
- timeout connect 10s
- timeout client 1m
- timeout server 1m
- timeout http-keep-alive 10s
- timeout check 10s
- #---------------------------------------------------------------------
- #AProxy Monitoring Config
- #---------------------------------------------------------------------
- listen stats
- bind 0.0.0.0:8443 ssl crt /etc/ssl/domain.cloud/domain.cloud.pem
- stats enable
- stats uri /
- stats hide-version
- stats admin if TRUE
- stats refresh 30s
- frontend ssl_relay
- bind 0.0.0.0:443 ssl crt /etc/ssl/domain.cloud/domain.cloud.pem
- # this only works with 1.5 haproxy
- mode tcp
- option clitcpka
- option tcplog
- option socket-stats
- # option nolinger
- maxconn 300
- tcp-request inspect-delay 5s
- tcp-request content accept if { req_ssl_hello_type 1 }
- use_backend ssl_sp if { req_ssl_sni -i bts.domain.cloud }
- default_backend ssl_sp
- backend ssl_sp
- mode tcp
- #option nolinger
- option tcplog
- #balance roundrobin
- hash-type consistent
- option srvtcpka
- # maximum SSL session ID length is 32 bytes.
- stick-table type binary len 32 size 30k expire 30m
- # make sure we cover type 1 (fallback)
- acl clienthello req_ssl_hello_type 1
- acl serverhello rep_ssl_hello_type 2
- # use tcp content accepts to detects ssl client and server hello.
- tcp-request inspect-delay 5s
- tcp-request content accept if clienthello
- # no timeout on response inspect delay by default.
- tcp-response content accept if serverhello
- # SSL session ID (SSLID) may be present on a client or server hello.
- # Its length is coded on 1 byte at offset 43 and its value starts
- # at offset 44.
- # Match and learn on request if client hello.
- stick on payload_lv(43,1) if clienthello
- # Learn on response if server hello.
- stick store-response payload_lv(43,1) if serverhello
- #option ssl-hello-chk
- server x_sp 10.50.3.23:443 ssl verify none check
Advertisement
Add Comment
Please, Sign In to add comment
