brndnmtthws/gist:fc1336c739bd690d5bd0ba2ff355a1ba Secret

## gistfile1.txt
core@ip-10-0-7-27 ~ $ curl http://marathon-lb.marathon.mesos:9090/_haproxy_getconfig
global
  daemon
  log /dev/log local0
  log /dev/log local1 notice
  maxconn 50000
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-bind-options no-sslv3 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-server-options no-sslv3 no-tls-tickets
  stats socket /var/run/haproxy/socket
  server-state-file global
  server-state-base /var/state/haproxy/
  lua-load /marathon-lb/getpids.lua
  lua-load /marathon-lb/getconfig.lua
defaults
  load-server-state-from-file global
  log               global
  retries                   3
  backlog               10000
  maxconn               10000
  timeout connect          3s
  timeout client          30s
  timeout server          30s
  timeout tunnel        3600s
  timeout http-keep-alive  1s
  timeout http-request    15s
  timeout queue           30s
  timeout tarpit          60s
  option            redispatch
  option            http-server-close
  option            dontlognull
listen stats
  bind 0.0.0.0:9090
  balance
  mode http
  stats enable
  monitor-uri /_haproxy_health_check
  acl getpid path /_haproxy_getpids
  http-request use-service lua.getpids if getpid
  acl getconfig path /_haproxy_getconfig
  http-request use-service lua.getconfig if getconfig

frontend marathon_http_in
  bind *:80
  mode http
  acl path_letsencrypt-dcos_10000 path_beg /.well-known/acme-challenge
  acl host_tweeter_mesosphere_com_letsencrypt-dcos hdr(host) -i tweeter.mesosphere.com
  acl host_tweeter_mesosphere_com_letsencrypt-dcos hdr(host) -i tweeter-test.mesosphere.com
  acl host_tweeter_mesosphere_com_letsencrypt-dcos hdr(host) -i ssl-test-1.mesosphere.com
  acl host_tweeter_mesosphere_com_letsencrypt-dcos hdr(host) -i ssl-test-2.mesosphere.com
  use_backend letsencrypt-dcos_10000 if host_tweeter_mesosphere_com_letsencrypt-dcos path_letsencrypt-dcos_10000
  acl host_ssl-test-1_mesosphere_com_letsencrypt-dcos-test-1 hdr(host) -i ssl-test-1.mesosphere.com
  redirect scheme https code 301 if !{ ssl_fc } host_ssl-test-1_mesosphere_com_letsencrypt-dcos-test-1
  acl host_ssl-test-2_mesosphere_com_letsencrypt-dcos-test-2 hdr(host) -i ssl-test-2.mesosphere.com
  use_backend letsencrypt-dcos-test-2_10002 if host_ssl-test-2_mesosphere_com_letsencrypt-dcos-test-2
  acl host_tweeter_mesosphere_com_tweeter hdr(host) -i tweeter.mesosphere.com
  redirect scheme https code 301 if !{ ssl_fc } host_tweeter_mesosphere_com_tweeter

frontend marathon_http_appid_in
  bind *:9091
  mode http
  acl app__letsencrypt-dcos hdr(x-marathon-app-id) -i /letsencrypt-dcos
  use_backend letsencrypt-dcos_10000 if app__letsencrypt-dcos
  acl app__letsencrypt-dcos-test-1 hdr(x-marathon-app-id) -i /letsencrypt-dcos-test-1
  use_backend letsencrypt-dcos-test-1_10001 if app__letsencrypt-dcos-test-1
  acl app__letsencrypt-dcos-test-2 hdr(x-marathon-app-id) -i /letsencrypt-dcos-test-2
  use_backend letsencrypt-dcos-test-2_10002 if app__letsencrypt-dcos-test-2
  acl app__tweeter hdr(x-marathon-app-id) -i /tweeter
  use_backend tweeter_10003 if app__tweeter

frontend marathon_https_in
  bind *:443 ssl crt /etc/ssl/mesosphere.com.pem
  mode http
  acl path_letsencrypt-dcos_10000 path_beg /.well-known/acme-challenge
  use_backend letsencrypt-dcos_10000 if { ssl_fc_sni tweeter.mesosphere.com } path_letsencrypt-dcos_10000
  use_backend letsencrypt-dcos_10000 if { ssl_fc_sni tweeter-test.mesosphere.com } path_letsencrypt-dcos_10000
  use_backend letsencrypt-dcos_10000 if { ssl_fc_sni ssl-test-1.mesosphere.com } path_letsencrypt-dcos_10000
  use_backend letsencrypt-dcos_10000 if { ssl_fc_sni ssl-test-2.mesosphere.com } path_letsencrypt-dcos_10000
  use_backend letsencrypt-dcos-test-1_10001 if { ssl_fc_sni ssl-test-1.mesosphere.com }
  use_backend letsencrypt-dcos-test-2_10002 if { ssl_fc_sni ssl-test-2.mesosphere.com }
  use_backend tweeter_10003 if { ssl_fc_sni tweeter.mesosphere.com }

frontend letsencrypt-dcos_10000
  bind *:10000
  mode http
  use_backend letsencrypt-dcos_10000

frontend letsencrypt-dcos-test-1_10001
  bind *:10001
  mode http
  use_backend letsencrypt-dcos-test-1_10001

frontend letsencrypt-dcos-test-2_10002
  bind *:10002
  mode http
  use_backend letsencrypt-dcos-test-2_10002

frontend tweeter_10003
  bind *:10003
  mode http
  use_backend tweeter_10003

backend letsencrypt-dcos_10000
  balance roundrobin
  mode http
  option forwardfor
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  server 10_0_2_113_11600 10.0.2.113:11600

backend letsencrypt-dcos-test-1_10001
  balance roundrobin
  mode http
  rspadd  Strict-Transport-Security:\ max-age=15768000
  option forwardfor
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  option  httpchk GET /health
  timeout check 10s
  server 10_0_2_111_7003 10.0.2.111:7003 check inter 10s fall 3
  server 10_0_2_112_10466 10.0.2.112:10466 check inter 10s fall 3
  server 10_0_2_113_14878 10.0.2.113:14878 check inter 10s fall 3

backend letsencrypt-dcos-test-2_10002
  balance roundrobin
  mode http
  option forwardfor
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  option  httpchk GET /health
  timeout check 10s
  server 10_0_2_111_27565 10.0.2.111:27565 check inter 10s fall 3
  server 10_0_2_112_15818 10.0.2.112:15818 check inter 10s fall 3
  server 10_0_2_113_31249 10.0.2.113:31249 check inter 10s fall 3

backend tweeter_10003
  balance roundrobin
  mode http
  rspadd  Strict-Transport-Security:\ max-age=15768000
  option forwardfor
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  option  httpchk GET /
  timeout check 9s
  server 10_0_2_112_4699 10.0.2.112:4699 check inter 20s fall 3
core@ip-10-0-7-27 ~ $
	core@ip-10-0-7-27 ~ $ curl http://marathon-lb.marathon.mesos:9090/_haproxy_getconfig
	global
	daemon
	log /dev/log local0
	log /dev/log local1 notice
	maxconn 50000
	tune.ssl.default-dh-param 2048
	ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	ssl-default-bind-options no-sslv3 no-tls-tickets
	ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	ssl-default-server-options no-sslv3 no-tls-tickets
	stats socket /var/run/haproxy/socket
	server-state-file global
	server-state-base /var/state/haproxy/
	lua-load /marathon-lb/getpids.lua
	lua-load /marathon-lb/getconfig.lua
	defaults
	load-server-state-from-file global
	log global
	retries 3
	backlog 10000
	maxconn 10000
	timeout connect 3s
	timeout client 30s
	timeout server 30s
	timeout tunnel 3600s
	timeout http-keep-alive 1s
	timeout http-request 15s
	timeout queue 30s
	timeout tarpit 60s
	option redispatch
	option http-server-close
	option dontlognull
	listen stats
	bind 0.0.0.0:9090
	balance
	mode http
	stats enable
	monitor-uri /_haproxy_health_check
	acl getpid path /_haproxy_getpids
	http-request use-service lua.getpids if getpid
	acl getconfig path /_haproxy_getconfig
	http-request use-service lua.getconfig if getconfig

	frontend marathon_http_in
	bind *:80
	mode http
	acl path_letsencrypt-dcos_10000 path_beg /.well-known/acme-challenge
	acl host_tweeter_mesosphere_com_letsencrypt-dcos hdr(host) -i tweeter.mesosphere.com
	acl host_tweeter_mesosphere_com_letsencrypt-dcos hdr(host) -i tweeter-test.mesosphere.com
	acl host_tweeter_mesosphere_com_letsencrypt-dcos hdr(host) -i ssl-test-1.mesosphere.com
	acl host_tweeter_mesosphere_com_letsencrypt-dcos hdr(host) -i ssl-test-2.mesosphere.com
	use_backend letsencrypt-dcos_10000 if host_tweeter_mesosphere_com_letsencrypt-dcos path_letsencrypt-dcos_10000
	acl host_ssl-test-1_mesosphere_com_letsencrypt-dcos-test-1 hdr(host) -i ssl-test-1.mesosphere.com
	redirect scheme https code 301 if !{ ssl_fc } host_ssl-test-1_mesosphere_com_letsencrypt-dcos-test-1
	acl host_ssl-test-2_mesosphere_com_letsencrypt-dcos-test-2 hdr(host) -i ssl-test-2.mesosphere.com
	use_backend letsencrypt-dcos-test-2_10002 if host_ssl-test-2_mesosphere_com_letsencrypt-dcos-test-2
	acl host_tweeter_mesosphere_com_tweeter hdr(host) -i tweeter.mesosphere.com
	redirect scheme https code 301 if !{ ssl_fc } host_tweeter_mesosphere_com_tweeter

	frontend marathon_http_appid_in
	bind *:9091
	mode http
	acl app__letsencrypt-dcos hdr(x-marathon-app-id) -i /letsencrypt-dcos
	use_backend letsencrypt-dcos_10000 if app__letsencrypt-dcos
	acl app__letsencrypt-dcos-test-1 hdr(x-marathon-app-id) -i /letsencrypt-dcos-test-1
	use_backend letsencrypt-dcos-test-1_10001 if app__letsencrypt-dcos-test-1
	acl app__letsencrypt-dcos-test-2 hdr(x-marathon-app-id) -i /letsencrypt-dcos-test-2
	use_backend letsencrypt-dcos-test-2_10002 if app__letsencrypt-dcos-test-2
	acl app__tweeter hdr(x-marathon-app-id) -i /tweeter
	use_backend tweeter_10003 if app__tweeter

	frontend marathon_https_in
	bind *:443 ssl crt /etc/ssl/mesosphere.com.pem
	mode http
	acl path_letsencrypt-dcos_10000 path_beg /.well-known/acme-challenge
	use_backend letsencrypt-dcos_10000 if { ssl_fc_sni tweeter.mesosphere.com } path_letsencrypt-dcos_10000
	use_backend letsencrypt-dcos_10000 if { ssl_fc_sni tweeter-test.mesosphere.com } path_letsencrypt-dcos_10000
	use_backend letsencrypt-dcos_10000 if { ssl_fc_sni ssl-test-1.mesosphere.com } path_letsencrypt-dcos_10000
	use_backend letsencrypt-dcos_10000 if { ssl_fc_sni ssl-test-2.mesosphere.com } path_letsencrypt-dcos_10000
	use_backend letsencrypt-dcos-test-1_10001 if { ssl_fc_sni ssl-test-1.mesosphere.com }
	use_backend letsencrypt-dcos-test-2_10002 if { ssl_fc_sni ssl-test-2.mesosphere.com }
	use_backend tweeter_10003 if { ssl_fc_sni tweeter.mesosphere.com }

	frontend letsencrypt-dcos_10000
	bind *:10000
	mode http
	use_backend letsencrypt-dcos_10000

	frontend letsencrypt-dcos-test-1_10001
	bind *:10001
	mode http
	use_backend letsencrypt-dcos-test-1_10001

	frontend letsencrypt-dcos-test-2_10002
	bind *:10002
	mode http
	use_backend letsencrypt-dcos-test-2_10002

	frontend tweeter_10003
	bind *:10003
	mode http
	use_backend tweeter_10003

	backend letsencrypt-dcos_10000
	balance roundrobin
	mode http
	option forwardfor
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	server 10_0_2_113_11600 10.0.2.113:11600

	backend letsencrypt-dcos-test-1_10001
	balance roundrobin
	mode http
	rspadd Strict-Transport-Security:\ max-age=15768000
	option forwardfor
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	option httpchk GET /health
	timeout check 10s
	server 10_0_2_111_7003 10.0.2.111:7003 check inter 10s fall 3
	server 10_0_2_112_10466 10.0.2.112:10466 check inter 10s fall 3
	server 10_0_2_113_14878 10.0.2.113:14878 check inter 10s fall 3

	backend letsencrypt-dcos-test-2_10002
	balance roundrobin
	mode http
	option forwardfor
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	option httpchk GET /health
	timeout check 10s
	server 10_0_2_111_27565 10.0.2.111:27565 check inter 10s fall 3
	server 10_0_2_112_15818 10.0.2.112:15818 check inter 10s fall 3
	server 10_0_2_113_31249 10.0.2.113:31249 check inter 10s fall 3

	backend tweeter_10003
	balance roundrobin
	mode http
	rspadd Strict-Transport-Security:\ max-age=15768000
	option forwardfor
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	option httpchk GET /
	timeout check 9s
	server 10_0_2_112_4699 10.0.2.112:4699 check inter 20s fall 3
	core@ip-10-0-7-27 ~ $