API tools faq
paste
tmaniac

Untitled

tmaniac
Aug 26th, 2020
720
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Make 4.56 KB | None | 0 0
raw download clone embed print report
  1. global
  2.     nbproc          1
  3.     nbthread        32
  4.     log /dev/log    local0
  5.     log /dev/log    local1 notice
  6.     chroot  /var/lib/haproxy
  7.     stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  8.     stats timeout 30s
  9.     user haproxy
  10.     group haproxy
  11.     maxconn 2000
  12.     daemon
  13.  
  14. #--------------------------
  15. # SSL tuning / hardening
  16. #--------------------------
  17.     ssl-default-bind-options no-sslv3
  18.     ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  19.     ssl-default-server-options no-sslv3
  20.     ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  21.     tune.ssl.default-dh-param 2048
  22.  
  23. defaults
  24.     mode                    http
  25.     log                     global
  26.     option                  httplog
  27.     option                  dontlognull
  28.     option                  forwardfor       except 127.0.0.0/8
  29.     option                  redispatch
  30. #   option                  contstats
  31.     retries                 3
  32.     timeout http-request    10s
  33.     timeout queue           1m
  34.     timeout connect         10s
  35.     timeout client          30m # this value should be rather high with Exchange
  36.     timeout server          30m # this value should be rather high with Exchange
  37.     timeout http-keep-alive 10s
  38.     timeout check           10s
  39.     maxconn                 100000
  40.     errorfile 400 /etc/haproxy/errors/400.http
  41.     errorfile 403 /etc/haproxy/errors/403.http
  42.     errorfile 408 /etc/haproxy/errors/408.http
  43.     errorfile 500 /etc/haproxy/errors/500.http
  44.     errorfile 502 /etc/haproxy/errors/502.http
  45.     errorfile 503 /etc/haproxy/errors/503.http
  46.     errorfile 504 /etc/haproxy/errors/504.http 
  47.    
  48. #-------------------------------------------------------
  49. # Stats section
  50. #-------------------------------------------------------
  51. listen stats
  52.     bind *:8443 ssl crt /etc/haproxy/ssl/wildcard_EXTERNAL.DOMAIN.pem
  53.     stats enable                    # enable statistics reports  
  54.     stats hide-version              # Hide the version of HAProxy
  55.     stats refresh 300s              # HAProxy refresh time
  56.     stats show-node                 # Shows the hostname of the node
  57.     stats auth xxxxx     # Enforce Basic authentication for Stats page
  58.     stats uri /stats                # Statistics URL
  59.  
  60. frontend FrontEnd_HTTP
  61.     bind 192.168.xx.xx:80
  62.     mode http
  63.     option http-keep-alive
  64.     option forwardfor
  65.  
  66.     # logging options
  67.     option log-separate-errors
  68.     option httplog
  69.     option socket-stats
  70.    
  71.     #ACLs
  72.     ## define HTTP type
  73.     acl acl_http ssl_fc,not
  74.     ## Exchange
  75.     acl acl_owa url_beg -i /owa
  76.     acl acl_Exchange_WebMail hdr_beg(host) -i webmail.EXTERNAL.DOMAIN
  77.     acl acl_Exchange_AutoDiscover hdr_beg(host) -i autodiscover.EXTERNAL.DOMAIN
  78.     acl acl_Exchange_Mailserver hdr_beg(host) -i mailserver.EXTERNAL.DOMAIN
  79.     acl acl_Exchange_Mail01 hdr_beg(host) -i Mail01.EXTERNAL.DOMAIN
  80.    
  81.     #Redirects
  82.     http-request redirect scheme https code 301 if acl_http acl_owa
  83.    
  84.     #exchange
  85.     use_backend Backend_ex2019 if acl_Exchange_AutoDiscover
  86.    
  87. frontend FrontEnd_HTTPS
  88.     http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
  89.     bind 192.168.xx.xx:443 ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/haproxy/ssl
  90.     mode http
  91.     option http-keep-alive
  92.     option forwardfor
  93.  
  94.     # logging options
  95.     option httplog 
  96.    
  97.     #ACLs
  98.     ## define HTTP type
  99.     acl acl_http ssl_fc,not
  100.     ## Exchange
  101.     acl acl_owa url_beg -i /owa
  102.     acl acl_Exchange_WebMail hdr_beg(host) -i webmail.EXTERNAL.DOMAIN
  103.     acl acl_Exchange_AutoDiscover hdr_beg(host) -i autodiscover.EXTERNAL.DOMAIN
  104.     acl acl_Exchange_Mailserver hdr_beg(host) -i mailserver.EXTERNAL.DOMAIN
  105.     acl acl_Exchange_Mail01 hdr_beg(host) -i Mail01.EXTERNAL.DOMAIN
  106.    
  107.     #exchange
  108.     use_backend Backend_ex2019_SSL if acl_Exchange_WebMail || acl_Exchange_AutoDiscover || acl_Exchange_Mailserver  || acl_Exchange_Mail01
  109.    
  110. # Backends Exchange
  111. backend Backend_ex2019_SSL
  112.     mode http
  113.     hash-type consistent
  114.     http-reuse never
  115.     balance source
  116.     option http-keep-alive
  117.     option prefer-last-server
  118.     # stickiness
  119.     stick-table type ip size 50k expire 30m  
  120.     stick on src
  121.     cookie SERVERID insert indirect nocache
  122.     server Mailserver 192.168.xx.xx:443 check ssl verify none cookie s1
  123.    
  124. backend Backend_ex2019
  125.     mode http
  126.     hash-type consistent
  127.     http-reuse never
  128.     option http-keep-alive
  129.     balance source
  130.     # stickiness
  131.     stick-table type ip size 50k expire 30m  
  132.     stick on src
  133.     cookie SERVERID insert indirect nocache
  134.     server Mailserver_HTTP 192.168.xx.xx:80 check cookie s1
  135.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!