tmaniac

Untitled

Aug 19th, 2020
45
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. global
  2.     nbproc          1
  3.     nbthread        32
  4.     log /dev/log    local0
  5.     log /dev/log    local1 notice
  6.     chroot  /var/lib/haproxy
  7.     stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  8.     stats timeout 30s
  9.     user haproxy
  10.     group haproxy
  11.     maxconn 2000
  12.     daemon
  13.  
  14. #--------------------------
  15. # SSL tuning / hardening
  16. #--------------------------
  17.     ssl-default-bind-options no-sslv3
  18.     ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  19.     ssl-default-server-options no-sslv3
  20.     ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  21.     tune.ssl.default-dh-param 2048
  22.  
  23. defaults
  24.     mode                    http
  25.     log                     global
  26.     option                  httplog
  27.     option                  dontlognull
  28.     option                  forwardfor       except 127.0.0.0/8
  29.     option                  redispatch
  30. #   option                  contstats
  31.     retries                 3
  32.     timeout http-request    10s
  33.     timeout queue           1m
  34.     timeout connect         10s
  35.     timeout client          15m # this value should be rather high with Exchange
  36.     timeout server          15m # this value should be rather high with Exchange
  37.     timeout http-keep-alive 10s
  38.     timeout check           10s
  39.     maxconn                 100000
  40.     errorfile 400 /etc/haproxy/errors/400.http
  41.     errorfile 403 /etc/haproxy/errors/403.http
  42.     errorfile 408 /etc/haproxy/errors/408.http
  43.     errorfile 500 /etc/haproxy/errors/500.http
  44.     errorfile 502 /etc/haproxy/errors/502.http
  45.     errorfile 503 /etc/haproxy/errors/503.http
  46.     errorfile 504 /etc/haproxy/errors/504.http 
  47.    
  48. #-------------------------------------------------------
  49. # Stats section
  50. #-------------------------------------------------------
  51. listen stats
  52.     bind *:8443 ssl crt /etc/haproxy/ssl/wildcard.pem
  53.     stats enable                    # enable statistics reports  
  54.     stats hide-version              # Hide the version of HAProxy
  55.     stats refresh 300s              # HAProxy refresh time
  56.     stats show-node                 # Shows the hostname of the node
  57.     stats auth <usr>:<pass>         # Enforce Basic authentication for Stats page
  58.     stats uri /stats                # Statistics URL
  59.  
  60. frontend FrontEnd_HTTP
  61.     bind *:80
  62.     mode http
  63.     option http-keep-alive
  64.     option forwardfor
  65.     # tuning options
  66.     timeout client 10m
  67.  
  68.     # logging options
  69.     option log-separate-errors
  70.     option httplog
  71.     option socket-stats
  72.    
  73.     #ACLs
  74.     ## Detect HTTP type
  75.     acl acl_http ssl_fc,not
  76.     ## Exchange
  77.     acl acl_owa url_beg -i /owa
  78.     acl acl_Exchange_WebMail hdr_beg(host) -i webmail.EXTERNAL.DOMAIN
  79.     acl acl_Exchange_AutoDiscover hdr_beg(host) -i autodiscover.EXTERNAL.DOMAIN
  80.     acl acl_Exchange_Mailserver hdr_beg(host) -i mailserver.EXTERNAL.DOMAIN
  81.     acl acl_Exchange_Mail01 hdr_beg(host) -i Mail01.EXTERNAL.DOMAIN
  82.    
  83.     #Redirects
  84.     http-request redirect scheme https code 301 if acl_http acl_owa
  85.    
  86.     #exchange
  87.     use_backend Backend_ex2019 if acl_Exchange_AutoDiscover
  88.    
  89. frontend FrontEnd_HTTPS
  90.     http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
  91.     bind *:443 ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/haproxy/ssl
  92.     mode http
  93.     option http-keep-alive
  94.     option forwardfor
  95.     # tuning options
  96.     timeout client 10m
  97.  
  98.     # logging options
  99.     option httplog 
  100.    
  101.     #ACLs
  102.     ## Detect HTTP type
  103.     acl acl_http ssl_fc,not
  104.     ## Exchange
  105.     acl acl_owa url_beg -i /owa
  106.     acl acl_Exchange_WebMail hdr_beg(host) -i webmail.EXTERNAL.DOMAIN
  107.     acl acl_Exchange_AutoDiscover hdr_beg(host) -i autodiscover.EXTERNAL.DOMAIN
  108.     acl acl_Exchange_Mailserver hdr_beg(host) -i mailserver.EXTERNAL.DOMAIN
  109.     acl acl_Exchange_Mail01 hdr_beg(host) -i Mail01.EXTERNAL.DOMAIN
  110.    
  111.     #exchange
  112.     use_backend Backend_ex2019_SSL if acl_Exchange_WebMail || acl_Exchange_AutoDiscover || acl_Exchange_Mailserver  || acl_Exchange_Mail01
  113.  
  114. # Backends Exchange
  115. backend Backend_ex2019_SSL
  116.     mode http
  117.     hash-type consistent
  118.     http-reuse never
  119.     balance source
  120.     option http-keep-alive
  121.     option prefer-last-server
  122.     # stickiness
  123.     stick-table type ip size 50k expire 30m  
  124.     stick on src
  125.     # tuning options
  126.     timeout connect 10m
  127.     timeout server 10m
  128.     cookie SERVERID insert indirect nocache
  129.     server Mailserver <internalIP>:443 check ssl verify none cookie s1
  130.    
  131. backend Backend_ex2019
  132.     mode http
  133.     hash-type consistent
  134.     http-reuse never
  135.     option http-keep-alive
  136.     balance source
  137.     # stickiness
  138.     stick-table type ip size 50k expire 30m  
  139.     stick on src
  140.     # tuning options
  141.     timeout connect 10m
  142.     timeout server 10m
  143.     cookie SERVERID insert indirect nocache
  144.     server Mailserver_HTTP <internalIP>:80 check cookie s1
  145.  
RAW Paste Data