Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Some example haproxy configs
# SSL termination at proxy
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:80
bind *:443 ssl crt /certs/star_example_com.pem
stats enable
stats auth fathom:pass
stats uri /haproxystats
reqadd X-Forwarded-Proto:\ http
acl host_npm hdr(host) -i npm.example.com
acl host_gitlab_ci hdr(host) -i ci.example.com
acl host_gitlab hdr(host) -i git.example.com
use_backend npm if host_npm
use_backend gitlab_ci if host_gitlab_ci
use_backend gitlab if host_gitlab
backend gitlab
option httpclose
option forwardfor
redirect scheme https if !{ ssl_fc }
server localhost-gitlab localhost:10080 check port 10080
backend gitlab_ci
option httpclose
option forwardfor
server localhost-gitlab-ci localhost:49158 check port 49158
backend npm
option httpclose
option forwardfor
server localhost-npm localhost:5985 check port 5985
backend default
# SSL Pass through
# This resulted in odd browser hehavior, where SNI was not working as expectd with https hosts - possibly due to HSTS headers?
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:80
stats enable
stats auth fathom:pass
stats uri /haproxystats
acl host_npm hdr(host) -i npm.example.com
acl host_gitlab_ci hdr(host) -i ci.example.com
acl host_gitlab hdr(host) -i git.example.com
use_backend npm if host_npm
use_backend gitlab_ci if host_gitlab_ci
use_backend gitlab if host_gitlab
frontend https-in
bind *:443
option tcplog
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl host_gitlab_ssl req_ssl_sni -i git.example.com
use_backend gitlab_ssl if host_gitlab_ssl
backend gitlab
option httpclose
option forwardfor
redirect scheme https code 301 if !{ ssl_fc }
backend gitlab_ssl
mode tcp
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server localhost-gitlab-ssl localhost:444 check port 444
backend gitlab_ci
option httpclose
option forwardfor
server localhost-gitlab-ci localhost:49158 check port 49158
backend npm
option httpclose
option forwardfor
server localhost-npm localhost:5985 check port 5985
backend default
@iGlaedr

This comment has been minimized.

Copy link

commented May 27, 2018

Hi

I'm using your config, but I'm getting this return from Firefox Error code: SSL_ERROR_RX_RECORD_TOO_LONG
My HAproxy version:
haproxy -v HA-Proxy version 1.8.8-1~bpo9+1 2018/04/19 Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>
Do you know this problem ?

best regard
iGlaedr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.