Skip to content

Instantly share code, notes, and snippets.

@epappas

epappas/haproxyd

Created July 18, 2014 09:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save epappas/ef27afca20781da7c67e to your computer and use it in GitHub Desktop.
Save epappas/ef27afca20781da7c67e to your computer and use it in GitHub Desktop.
Download ZIP
start|stop|restart haproxy
Raw
haproxyd
#!/usr/bin/env bash
# haproxyd
# Script to start|stop|restart haproxy from /etc/init.d/
HAPROXY_PATH=/usr/sbin
HAPROXY_DAEMON=$HAPROXY_PATH/haproxy
HAPROXY_CONFIG=/etc/haproxy/haproxy.cfg
test -x $HAPROXY_DAEMON || exit 0
test -f $HAPROXY_CONFIG || exit 1
set -e
function getHaproxyPID() {
PID=`ps aux | grep 'haproxy -f' | grep -v "grep" | awk '{ print $2 }'`
}
case $1 in
start)
echo "Starting haproxy..."
$HAPROXY_DAEMON -f $HAPROXY_CONFIG
;;
restart)
echo "Hot restart of haproxy"
getHaproxyPID
COMMAND="$HAPROXY_DAEMON -f $HAPROXY_CONFIG -sf $PID"
echo $COMMAND
`$COMMAND`
;;
stop)
echo "Stopping haproxy"
getHaproxyPID
COMMAND="kill -9 $PID"
echo $COMMAND
`$COMMAND`
;;
*)
echo "Usage: haproxyd {start|restart|stop}" >&2
exit 1
;;
esac
exit 0
@epappas
Copy link
Author

epappas commented Oct 29, 2014

Bind SSL port with PFS-enabling cipher suite

bind :443 ssl crt path_to_certificate no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA

Distinguish between secure and insecure requests

acl secure dst_port eq 443

Mark all cookies as secure if sent over SSL

rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure

Add the HSTS header with a 1 year max-age

rspadd Strict-Transport-Security:\ max-age=31536000 if secure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment