Instantly share code, notes, and snippets.

Embed
What would you like to do?
###HAProxy configuration to work with Let's encrypt.
###http://petrovs.info/2015/12/27/My-way-to-auto-update-Lets-Encrypt/
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
tune.bufsize 131072
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /srv/certs
crt-base /srv/certs
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
# tunning
maxconn 16384
defaults http
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5s
timeout client 310s
timeout server 310s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend www-http
bind 0.0.0.0:80
reqadd X-Forwarded-Proto:\ http
option forwardfor
#ACLs
acl example_sites hdr(host) -i example.com www.example.com
#Redirects
redirect prefix https://cloud.grandcity-property.com if example_sites
frontend www-https
bind 0.0.0.0:4443 ssl crt example.com.pem crt www.example.com.pem crt ./ no-sslv3
reqadd X-Forwarded-Proto:\ https
option forwardfor
#ACLs
acl example_sites hdr(host) -i example.com www.example.com
use_backend examplecom if example_sites
backend examplecom
timeout server 30m
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 192.168.0.10:80 cookie A check
#### TCP Section
defaults tcp
log global
mode tcp
option tcplog
timeout connect 10s
timeout client 600s
timeout server 600s
frontend www-https-tcp
log global
mode tcp
option tcplog
bind 0.0.0.0:443
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
# Matching all SNI names with *.acme.invalid
acl app_letsencrypt req.ssl_sni -m end .acme.invalid
use_backend letsencrypt if app_letsencrypt
# sending everything that doesn't match *.acme.invalid to the HTTPS backend
default_backend bk_frontend_https_loop
backend bk_frontend_https_loop
log global
mode tcp
option tcplog
server localserver 0.0.0.0:4443
backend letsencrypt
log global
mode tcp
option tcplog
server letsencrypt 0.0.0.0:63443
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment