Created
December 27, 2015 14:18
-
-
Save eniac111/95ef382b545aa2d43dff to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###HAProxy configuration to work with Let's encrypt. | |
| ###http://petrovs.info/2015/12/27/My-way-to-auto-update-Lets-Encrypt/ | |
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| tune.bufsize 131072 | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # Default SSL material locations | |
| ca-base /srv/certs | |
| crt-base /srv/certs | |
| # Default ciphers to use on SSL-enabled listening sockets. | |
| # For more information, see ciphers(1SSL). | |
| ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL | |
| # tunning | |
| maxconn 16384 | |
| defaults http | |
| log global | |
| mode http | |
| option httplog | |
| option dontlognull | |
| option forwardfor | |
| option http-server-close | |
| timeout connect 5s | |
| timeout client 310s | |
| timeout server 310s | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| frontend www-http | |
| bind 0.0.0.0:80 | |
| reqadd X-Forwarded-Proto:\ http | |
| option forwardfor | |
| #ACLs | |
| acl example_sites hdr(host) -i example.com www.example.com | |
| #Redirects | |
| redirect prefix https://cloud.grandcity-property.com if example_sites | |
| frontend www-https | |
| bind 0.0.0.0:4443 ssl crt example.com.pem crt www.example.com.pem crt ./ no-sslv3 | |
| reqadd X-Forwarded-Proto:\ https | |
| option forwardfor | |
| #ACLs | |
| acl example_sites hdr(host) -i example.com www.example.com | |
| use_backend examplecom if example_sites | |
| backend examplecom | |
| timeout server 30m | |
| balance leastconn | |
| option httpclose | |
| option forwardfor | |
| cookie JSESSIONID prefix | |
| server node1 192.168.0.10:80 cookie A check | |
| #### TCP Section | |
| defaults tcp | |
| log global | |
| mode tcp | |
| option tcplog | |
| timeout connect 10s | |
| timeout client 600s | |
| timeout server 600s | |
| frontend www-https-tcp | |
| log global | |
| mode tcp | |
| option tcplog | |
| bind 0.0.0.0:443 | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req.ssl_hello_type 1 } | |
| # Matching all SNI names with *.acme.invalid | |
| acl app_letsencrypt req.ssl_sni -m end .acme.invalid | |
| use_backend letsencrypt if app_letsencrypt | |
| # sending everything that doesn't match *.acme.invalid to the HTTPS backend | |
| default_backend bk_frontend_https_loop | |
| backend bk_frontend_https_loop | |
| log global | |
| mode tcp | |
| option tcplog | |
| server localserver 0.0.0.0:4443 | |
| backend letsencrypt | |
| log global | |
| mode tcp | |
| option tcplog | |
| server letsencrypt 0.0.0.0:63443 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment