Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- global
- log /dev/log local0
- log /dev/log local1 notice
- chroot /var/lib/haproxy
- stats socket /run/haproxy/admin.sock mode 660 level admin
- stats timeout 30s
- user haproxy
- group haproxy
- daemon
- ca-base /etc/ssl/certs # Set to the appropriate path for your distro
- crt-base /etc/ssl/private # Set to the appropriate path for your distro
- ssl-dh-param-file /etc/ssl/certs/dhparam.pem # Set to the appropriate path for your distro. Make sure it's 2048 bits for A+ SSL. Generate with 'openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048'
- ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS # LEAVE AS IS for A+ SSL that works with cli_wallet
- ssl-default-bind-options no-sslv3 no-tls-tickets # LEAVE AS IS for A+ SSL that works with cli_wallet
- ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS # LEAVE AS IS for A+ SSL that works with cli_wallet
- ssl-default-server-options no-sslv3 no-tls-tickets # LEAVE AS IS for A+ SSL that works with cli_wallet
- nbproc 2
- defaults
- log global
- mode http
- option httplog
- retries 3
- backlog 10000
- errorfile 400 /etc/haproxy/errors/400.http
- errorfile 403 /etc/haproxy/errors/403.http
- errorfile 408 /etc/haproxy/errors/408.http
- errorfile 500 /etc/haproxy/errors/500.http
- errorfile 502 /etc/haproxy/errors/502.http
- errorfile 503 /etc/haproxy/errors/503.http
- errorfile 504 /etc/haproxy/errors/504.http
- option dontlognull
- no option http-server-close
- option contstats
- option forwardfor
- option redispatch
- option httpchk
- timeout client 25s
- timeout connect 5s
- timeout server 25s
- timeout tunnel 60s
- default-server inter 3s rise 2 fall 3
- maxconn 2000
- frontend nodes_front
- bind *:443 ssl strict-sni crt /etc/ssl/host.my-node-domain.com/host.my-node-domain.com.pem # Replace with your SSL certificate PEM file. See https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04
- http-response set-header Strict-Transport-Security max-age=15768000 # For A+ SSL
- acl is_bsi_node hdr_end(host) -i host.my-node-domain.com
- acl hdr_connection_upgrade hdr(Connection) -i upgrade
- acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
- acl is_bsi_certbot path_beg -i /.well-known/acme-challenge
- redirect scheme https code 301 if !{ ssl_fc } !is_bsi_certbot
- use_backend bsi_certbot if is_bsi_certbot
- use_backend bsi_node if is_bsi_node
- stats enable # Enable haproxy statistics
- stats hide-version
- stats uri /stats # Available under https://host.my-node-domain.com/stats
- stats refresh 10s
- frontend nodes_front_http
- bind *:80
- mode http
- option httplog
- acl is_bsi_certbot path_beg -i /.well-known/acme-challenge
- redirect scheme https code 301 if !{ ssl_fc } !is_bsi_certbot
- use_backend bsi_certbot if is_bsi_certbot
- backend bsi_certbot
- log global
- mode http
- server certbot localhost:7443
- backend bsi_node
- balance roundrobin
- option httpchk GET / HTTP/1.1
- server host1 x.x.x.x:8090 maxconn 500 weight 10 check port 8095
- server host2 x.x.x.x:8090 maxconn 500 weight 10 check port 8095
- server host3 x.x.x.x:8090 maxconn 500 weight 10 check port 8095
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement