Last active
September 19, 2022 09:38
-
-
Save badsyntax/b15313298486a06418ab to your computer and use it in GitHub Desktop.
Some example haproxy configs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SSL termination at proxy | |
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| defaults | |
| log global | |
| mode http | |
| option httplog | |
| option dontlognull | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| frontend http-in | |
| bind *:80 | |
| bind *:443 ssl crt /certs/star_example_com.pem | |
| stats enable | |
| stats auth fathom:pass | |
| stats uri /haproxystats | |
| reqadd X-Forwarded-Proto:\ http | |
| acl host_npm hdr(host) -i npm.example.com | |
| acl host_gitlab_ci hdr(host) -i ci.example.com | |
| acl host_gitlab hdr(host) -i git.example.com | |
| use_backend npm if host_npm | |
| use_backend gitlab_ci if host_gitlab_ci | |
| use_backend gitlab if host_gitlab | |
| backend gitlab | |
| option httpclose | |
| option forwardfor | |
| redirect scheme https if !{ ssl_fc } | |
| server localhost-gitlab localhost:10080 check port 10080 | |
| backend gitlab_ci | |
| option httpclose | |
| option forwardfor | |
| server localhost-gitlab-ci localhost:49158 check port 49158 | |
| backend npm | |
| option httpclose | |
| option forwardfor | |
| server localhost-npm localhost:5985 check port 5985 | |
| backend default |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SSL Pass through | |
| # This resulted in odd browser hehavior, where SNI was not working as expectd with https hosts - possibly due to HSTS headers? | |
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| defaults | |
| log global | |
| mode http | |
| option httplog | |
| option dontlognull | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| frontend http-in | |
| bind *:80 | |
| stats enable | |
| stats auth fathom:pass | |
| stats uri /haproxystats | |
| acl host_npm hdr(host) -i npm.example.com | |
| acl host_gitlab_ci hdr(host) -i ci.example.com | |
| acl host_gitlab hdr(host) -i git.example.com | |
| use_backend npm if host_npm | |
| use_backend gitlab_ci if host_gitlab_ci | |
| use_backend gitlab if host_gitlab | |
| frontend https-in | |
| bind *:443 | |
| option tcplog | |
| mode tcp | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| acl host_gitlab_ssl req_ssl_sni -i git.example.com | |
| use_backend gitlab_ssl if host_gitlab_ssl | |
| backend gitlab | |
| option httpclose | |
| option forwardfor | |
| redirect scheme https code 301 if !{ ssl_fc } | |
| backend gitlab_ssl | |
| mode tcp | |
| # maximum SSL session ID length is 32 bytes. | |
| stick-table type binary len 32 size 30k expire 30m | |
| acl clienthello req_ssl_hello_type 1 | |
| acl serverhello rep_ssl_hello_type 2 | |
| # use tcp content accepts to detects ssl client and server hello. | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if clienthello | |
| # no timeout on response inspect delay by default. | |
| tcp-response content accept if serverhello | |
| stick on payload_lv(43,1) if clienthello | |
| # Learn on response if server hello. | |
| stick store-response payload_lv(43,1) if serverhello | |
| option ssl-hello-chk | |
| server localhost-gitlab-ssl localhost:444 check port 444 | |
| backend gitlab_ci | |
| option httpclose | |
| option forwardfor | |
| server localhost-gitlab-ci localhost:49158 check port 49158 | |
| backend npm | |
| option httpclose | |
| option forwardfor | |
| server localhost-npm localhost:5985 check port 5985 | |
| backend default |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
I'm using your config, but I'm getting this return from Firefox
Error code: SSL_ERROR_RX_RECORD_TOO_LONGMy HAproxy version:
haproxy -v HA-Proxy version 1.8.8-1~bpo9+1 2018/04/19 Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>Do you know this problem ?
best regard
iGlaedr