haproxy.conf

1. global
2. log 127.0.0.1 local0 notice
3. maxconn 2048
4. user haproxy
5. group haproxy
6. # tune & ssl params to force diffie-hellman defaults, disallow most tls/poodle attacks, and restrict binders to secure ciphers
7. tune.ssl.default-dh-param 4096
8. ssl-default-bind-options no-sslv3 no-tls-tickets
9. ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
10.  
11. defaults
12. log global
13. mode http
14. option forwardfor
15. option http-server-close
16. option clitcpka
17. option httplog
18. option dontlognull
19. option forwardfor except 127.0.0.1
20. option httpchk GET /
21. http-check disable-on-404
22. retries 3
23. option redispatch
24. timeout connect 5000
25. timeout client 10000
26. timeout server 10000
27. stats uri /haproxy?stats
28. stats realm Strictly\ Private
29. stats auth stats:6p&Dz$bGYhVfCwe!z9rP
30.  
31. frontend catchAll
32. bind :80
33. bind :443 ssl crt-list /etc/haproxy/certs/pemList alpn h2
34. mode http
35. # Redirect www. URLs to non-www https URLs (Not working yet)
36. acl does_use_www hdr(host) -m beg www.
37. http-request redirect code 301 location %[hdr(host)] if does_use_www
38. # Force HTTPS
39. http-request set-header X-Forwarded-Proto https if { ssl_fc }
40. redirect scheme https if !{ ssl_fc }
41. # use_backend directives for each URL that HAProxy should handle
42. use_backend blechinger.io_wordpressServers if { hdr(host) -i blechinger.io }
43. use_backend blechinger.io_wordpressServers if { hdr(host) -i blog.blechinger.io }
44. use_backend blechinger.io_wordpressServers if { hdr(host) -i gamenight.blechinger.io }
45. use_backend blechinger.io_pterodactylServers if { hdr(host) -i pterodactyl.blechinger.io }
46. use_backend rachelreagan.com_wordpressServers if { hdr(host) -i rachelreagan.com }
47. use_backend exponentialnews.net_wordpressServers if { hdr(host) -i exponentialnews.net }
48. use_backend kylejohnson.io_wordpressServers if { hdr(host) -i kylejohnson.io }
49.  
50. backend blechinger.io_wordpressServers
51. mode http
52. balance uri
53. option forwardfor
54. http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload;
55. server pnWordpress01 10.0.10.200:80 check
56. http-request set-header X-Forwarded-Port %[dst_port]
57. http-request add-header X-Forwarded-Proto https if { ssl_fc }
58.  
59. backend blechinger.io_pterodactylServers
60. mode http
61. balance uri
62. option forwardfor
63. http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload;
64. server pnWordpress01 10.1.51.100:80 check
65. http-request set-header X-Forwarded-Port %[dst_port]
66. http-request add-header X-Forwarded-Proto https if { ssl_fc }
67.  
68. backend rachelreagan.com_wordpressServers
69. mode http
70. balance uri
71. option forwardfor
72. http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload;
73. server pnWordpress01 10.0.10.200:80 check
74. http-request set-header X-Forwarded-Port %[dst_port]
75. http-request add-header X-Forwarded-Proto https if { ssl_fc }
76.  
77. backend exponentialnews.net_wordpressServers
78. mode http
79. balance uri
80. option forwardfor
81. http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload;
82. server pnWordpress01 10.0.10.200:80 check
83. http-request set-header X-Forwarded-Port %[dst_port]
84. http-request add-header X-Forwarded-Proto https if { ssl_fc }
85.  
86. backend kylejohnson.io_wordpressServers
87. mode http
88. balance uri
89. option forwardfor
90. http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload;
91. server pnWordpress01 10.0.10.200:80 check
92. http-request set-header X-Forwarded-Port %[dst_port]
93. http-request add-header X-Forwarded-Proto https if { ssl_fc }