Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- global
- log /dev/log local0
- log /dev/log local1 notice
- chroot /var/lib/haproxy
- stats socket /run/haproxy/admin.sock mode 660 level admin
- stats timeout 30s
- user haproxy
- group haproxy
- maxconn 2000
- daemon
- tune.ssl.default-dh-param 2048
- # Default SSL material locations
- ca-base /etc/ssl/certs
- crt-base /etc/ssl/private
- # Default ciphers to use on SSL-enabled listening sockets.
- # For more information, see ciphers(1SSL). This list is from:
- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
- ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
- ssl-default-bind-options no-sslv3
- defaults
- log global
- mode http
- option httplog
- option dontlognull
- option http-no-delay
- option contstats
- option httplog
- option logasap
- log global
- # Logging Setting. Local to Local Syslog and Control from There
- log-tag haproxy
- balance source
- timeout connect 5000
- timeout client 50000
- timeout server 50000
- timeout queue 30s
- errorfile 400 /etc/haproxy/errors/400.http
- errorfile 403 /etc/haproxy/errors/403.http
- errorfile 408 /etc/haproxy/errors/408.http
- errorfile 500 /etc/haproxy/errors/500.http
- errorfile 502 /etc/haproxy/errors/502.http
- errorfile 503 /etc/haproxy/errors/503.http
- errorfile 504 /etc/haproxy/errors/504.http
- default-server inter 10s fall 3 rise 2
- frontend ft_ex01
- mode http
- maxconn 2000
- ## External IP or DMZ IP of Proxy Server
- bind 99.99.99.99:443 ssl crt /etc/letsencrypt/live/exchange.external.company.com/haproxy.pem ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256:DHE+aRSA+AES128+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
- # Define a List of Accepted ACLs for Future use
- acl all-exchange path_beg -i /autodiscover /owa /oab /ews /public /microsoft-server-activesync /rpc /ecp /mapi /favicon.ico
- acl root url_len 1
- acl mail_internal_dns hdr(host) -i exchange.internal.company.com
- http-request deny unless all-exchange OR root OR mail_internal_dns
- http-request redirect code 301 location https://exchange.external.company.com if mail_internal_dns
- # Redirect is the URL is a Single Character, which can only mean /
- #redirect location /owa if root
- # Capture the User-Agent Header, so that it is Added to the Log
- capture request header User-Agent len 50
- capture request header Content-Length len 120
- capture response header Content-Length len 120
- default_backend bk_exchange
- frontend ft_http
- mode http
- maxconn 2000
- bind 99.99.99.99:80 ## External IP or DMZ IP of Proxy Server
- acl letsencrypt path_beg -i /.well-known
- acl mailbt_dns hdr(host) -i exchange.external.company.com
- acl root url_len 1
- http-request deny unless letsencrypt OR mail_dns
- capture request header User-Agent len 50
- capture request header Content-Length len 120
- capture response header Content-Length len 120
- http-request redirect code 301 location https://exchange.external.company.com if mail_dns !letsencrypt
- default_backend localh
- backend bk_exchange change
- mode http
- fullconn 500
- ## internal connection to exchange server
- server exchange.internal.company.com 192.168.0.10:443 check ssl verify none
- backend localh
- mode http
- fullconn 500
- server localhost 127.0.0.1:8081 ## Serving let's encrypt well-known. (http)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement