Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- global
- nbproc 1
- nbthread 32
- log /dev/log local0
- log /dev/log local1 notice
- chroot /var/lib/haproxy
- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
- stats timeout 30s
- user haproxy
- group haproxy
- maxconn 2000
- daemon
- #--------------------------
- # SSL tuning / hardening
- #--------------------------
- ssl-default-bind-options no-sslv3
- ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- ssl-default-server-options no-sslv3
- ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- tune.ssl.default-dh-param 2048
- defaults
- mode http
- log global
- option httplog
- option dontlognull
- option forwardfor except 127.0.0.0/8
- option redispatch
- # option contstats
- retries 3
- timeout http-request 10s
- timeout queue 1m
- timeout connect 10s
- timeout client 30m # this value should be rather high with Exchange
- timeout server 30m # this value should be rather high with Exchange
- timeout http-keep-alive 10s
- timeout check 10s
- maxconn 100000
- errorfile 400 /etc/haproxy/errors/400.http
- errorfile 403 /etc/haproxy/errors/403.http
- errorfile 408 /etc/haproxy/errors/408.http
- errorfile 500 /etc/haproxy/errors/500.http
- errorfile 502 /etc/haproxy/errors/502.http
- errorfile 503 /etc/haproxy/errors/503.http
- errorfile 504 /etc/haproxy/errors/504.http
- #-------------------------------------------------------
- # Stats section
- #-------------------------------------------------------
- listen stats
- bind *:8443 ssl crt /etc/haproxy/ssl/wildcard_EXTERNAL.DOMAIN.pem
- stats enable # enable statistics reports
- stats hide-version # Hide the version of HAProxy
- stats refresh 300s # HAProxy refresh time
- stats show-node # Shows the hostname of the node
- stats auth xxxxx # Enforce Basic authentication for Stats page
- stats uri /stats # Statistics URL
- frontend FrontEnd_HTTP
- bind 192.168.xx.xx:80
- mode http
- option http-keep-alive
- option forwardfor
- # logging options
- option log-separate-errors
- option httplog
- option socket-stats
- #ACLs
- ## define HTTP type
- acl acl_http ssl_fc,not
- ## Exchange
- acl acl_owa url_beg -i /owa
- acl acl_Exchange_WebMail hdr_beg(host) -i webmail.EXTERNAL.DOMAIN
- acl acl_Exchange_AutoDiscover hdr_beg(host) -i autodiscover.EXTERNAL.DOMAIN
- acl acl_Exchange_Mailserver hdr_beg(host) -i mailserver.EXTERNAL.DOMAIN
- acl acl_Exchange_Mail01 hdr_beg(host) -i Mail01.EXTERNAL.DOMAIN
- #Redirects
- http-request redirect scheme https code 301 if acl_http acl_owa
- #exchange
- use_backend Backend_ex2019 if acl_Exchange_AutoDiscover
- frontend FrontEnd_HTTPS
- http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
- bind 192.168.xx.xx:443 ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/haproxy/ssl
- mode http
- option http-keep-alive
- option forwardfor
- # logging options
- option httplog
- #ACLs
- ## define HTTP type
- acl acl_http ssl_fc,not
- ## Exchange
- acl acl_owa url_beg -i /owa
- acl acl_Exchange_WebMail hdr_beg(host) -i webmail.EXTERNAL.DOMAIN
- acl acl_Exchange_AutoDiscover hdr_beg(host) -i autodiscover.EXTERNAL.DOMAIN
- acl acl_Exchange_Mailserver hdr_beg(host) -i mailserver.EXTERNAL.DOMAIN
- acl acl_Exchange_Mail01 hdr_beg(host) -i Mail01.EXTERNAL.DOMAIN
- #exchange
- use_backend Backend_ex2019_SSL if acl_Exchange_WebMail || acl_Exchange_AutoDiscover || acl_Exchange_Mailserver || acl_Exchange_Mail01
- # Backends Exchange
- backend Backend_ex2019_SSL
- mode http
- hash-type consistent
- http-reuse never
- balance source
- option http-keep-alive
- option prefer-last-server
- # stickiness
- stick-table type ip size 50k expire 30m
- stick on src
- cookie SERVERID insert indirect nocache
- server Mailserver 192.168.xx.xx:443 check ssl verify none cookie s1
- backend Backend_ex2019
- mode http
- hash-type consistent
- http-reuse never
- option http-keep-alive
- balance source
- # stickiness
- stick-table type ip size 50k expire 30m
- stick on src
- cookie SERVERID insert indirect nocache
- server Mailserver_HTTP 192.168.xx.xx:80 check cookie s1
Add Comment
Please, Sign In to add comment