jeongho/haproxy_ssl_termination_springboot_backend.cfg

## haproxy_ssl_termination_springboot_backend.cfg
# haproxy -v
# HA-Proxy version 2.3.14-83c5b44 2021/09/07 - https://haproxy.org/
# Status: stable branch - will stop receiving fixes around Q1 2022.
# Known bugs: http://www.haproxy.org/bugs/bugs-2.3.14.html

# Self-signed SSL certificate
# https://gridscale.io/en/community/tutorials/haproxy-ssl/
# openssl req -nodes -x509 -newkey rsa:2048 -keyout /etc/ssl/private/test.key -out /etc/ssl/private/test.crt -days 3650
# writing new private key to '/etc/ssl/private/test.key'
# -----
# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:AQ
# State or Province Name (full name) [Some-State]:Deception Island
# Locality Name (eg, city) []:Wonderland
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alice LLC
# Organizational Unit Name (eg, section) []:
# Common Name (e.g. server FQDN or YOUR name) []:alice.wonderland.com
# Email Address []:
# cat /etc/ssl/private/test.key /etc/ssl/private/test.crt > /etc/ssl/private/test.pem

# GoDaddy SSL on HA Proxy
# references:
# https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
# https://gist.github.com/sethwebster/b48d7c872fe397c1db11
# openssl req -new -key /etc/ssl/wonderland.com/alice.wonderland.com.key -out /etc/ssl/wonderland.com/alice.wonderland.com.csr
# -----
# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:AQ
# State or Province Name (full name) [Some-State]:Deception Island
# Locality Name (eg, city) []:Wonderland
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alice LLC
# Organizational Unit Name (eg, section) []:
# Common Name (e.g. server FQDN or YOUR name) []:alice.wonderland.com
# Email Address []:
#
# cat /etc/ssl/wonderland.com/alice.wonderland.com.csr
# godaddy.com
# upload alice.wonderland.com.csr
# download alice.wonderland.com.zip as tomcat
# mv /tmp/alice.wonderland.com.zip /etc/ssl/wonderland.com/
# cd /etc/ssl/wonderland.com
# unzip alice.wonderland.com.zip
# cat alice.wonderland.com.key 1234567890abcdef.crt gd_bundle-g2-g1.crt > alice.wonderland.com.combined.pem

global
    log		/dev/log local0
    log		/dev/log local1 debug
    log     127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend wonderland
    mode    http
    bind    *:80
    bind    *:443 ssl crt /etc/ssl/wonderland.com/alice.wonderland.com.combined.pem
    redirect scheme https unless { ssl_fc }

    # https://www.haproxy.com/blog/haproxy-ssl-termination/
    # https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy/
    # https://stackoverflow.com/questions/51928504/x-forwarded-proto-https-in-frontend-or-backend-haproxy
    # passing on that browser is using https
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    http-response add-header X-Frame-Options "SAMEORIGIN"
    http-response add-header Strict-Transport-Security "max-age=15768000"

    # https://www.haproxy.com/blog/enabling-cors-in-haproxy/
    # https://stackoverflow.com/questions/58422210/haproxy-cors-no-access-control-allow-origin-header-is-present-on-the-requested
    # BEGIN CORS
    http-response set-header Access-Control-Allow-Origin "*"
    http-response set-header Access-Control-Allow-Headers "*"
    http-response set-header Access-Control-Max-Age 3628800
    http-response set-header Access-Control-Allow-Methods "*"
    http-response set-header Access-Control-Allow-Credentials "true"
    # END CORS
    # TODO: Tomcat9
    # https://stackoverflow.com/questions/59684442/tomcat-ignores-x-forwarded-proto-behind-an-apache-reverse-proxy
    # https://blog.leocat.kr/notes/2019/06/19/spring-config-x-forwerded-headers-in-tomcat
    # https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter
    # https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
    # https://serverfault.com/questions/514551/make-tomcat-use-x-real-ip
    # https://www.codebyamir.com/blog/configure-tomcat-logging-behind-load-balancer
    # <Host name="localhost"  appBase="webapps"
    #             unpackWARs="true" autoDeploy="true">
    #     <Valve className="org.apache.catalina.valves.RemoteIpValve"
    #       internalProxies="10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|20\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|0:0:0:0:0:0:0:1|::1"
    #       remoteIpHeader="x-forwarded-for"
    #       proxiesHeader="x-forwarded-by"
    #       protocolHeader="x-forwarded-proto" />
    # </Host>
    default_backend wonderland_tomcats

backend wonderland_tomcats
    mode http
    balance source
    # http-request set-header X-Forwarded-Port %[dst_port]
    # http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server tomcat1 tomcat1.farm.wonderland.com:8080 check
    server tomcat2 tomcat2.farm.wonderland.com:8080 check
    server tomcat3 tomcat3.farm.wonderland.com:8080 check

frontend wonderland_management
    bind *:8088 ssl crt /etc/ssl/wonderland.com/alice.wonderland.com.combined.pem
    default_backend wonderland_management_sentry

backend wonderland_management_sentry
    mode http
    balance source
    server sentry sentry.farm.wonderland.com:8088 check

listen stats
    bind :1936 ssl crt /etc/ssl/wonderland.com/alice.wonderland.com.combined.pem
    mode http
    stats enable
    stats hide-version
    stats uri /stats
    stats auth alice:DownTheRabbitHole!
	# haproxy -v
	# HA-Proxy version 2.3.14-83c5b44 2021/09/07 - https://haproxy.org/
	# Status: stable branch - will stop receiving fixes around Q1 2022.
	# Known bugs: http://www.haproxy.org/bugs/bugs-2.3.14.html

	# Self-signed SSL certificate
	# https://gridscale.io/en/community/tutorials/haproxy-ssl/
	# openssl req -nodes -x509 -newkey rsa:2048 -keyout /etc/ssl/private/test.key -out /etc/ssl/private/test.crt -days 3650
	# writing new private key to '/etc/ssl/private/test.key'
	# -----
	# You are about to be asked to enter information that will be incorporated
	# into your certificate request.
	# What you are about to enter is what is called a Distinguished Name or a DN.
	# There are quite a few fields but you can leave some blank
	# For some fields there will be a default value,
	# If you enter '.', the field will be left blank.
	# -----
	# Country Name (2 letter code) [AU]:AQ
	# State or Province Name (full name) [Some-State]:Deception Island
	# Locality Name (eg, city) []:Wonderland
	# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alice LLC
	# Organizational Unit Name (eg, section) []:
	# Common Name (e.g. server FQDN or YOUR name) []:alice.wonderland.com
	# Email Address []:
	# cat /etc/ssl/private/test.key /etc/ssl/private/test.crt > /etc/ssl/private/test.pem

	# GoDaddy SSL on HA Proxy
	# references:
	# https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
	# https://gist.github.com/sethwebster/b48d7c872fe397c1db11
	# openssl req -new -key /etc/ssl/wonderland.com/alice.wonderland.com.key -out /etc/ssl/wonderland.com/alice.wonderland.com.csr
	# -----
	# You are about to be asked to enter information that will be incorporated
	# into your certificate request.
	# What you are about to enter is what is called a Distinguished Name or a DN.
	# There are quite a few fields but you can leave some blank
	# For some fields there will be a default value,
	# If you enter '.', the field will be left blank.
	# -----
	# Country Name (2 letter code) [AU]:AQ
	# State or Province Name (full name) [Some-State]:Deception Island
	# Locality Name (eg, city) []:Wonderland
	# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alice LLC
	# Organizational Unit Name (eg, section) []:
	# Common Name (e.g. server FQDN or YOUR name) []:alice.wonderland.com
	# Email Address []:
	#
	# cat /etc/ssl/wonderland.com/alice.wonderland.com.csr
	# godaddy.com
	# upload alice.wonderland.com.csr
	# download alice.wonderland.com.zip as tomcat
	# mv /tmp/alice.wonderland.com.zip /etc/ssl/wonderland.com/
	# cd /etc/ssl/wonderland.com
	# unzip alice.wonderland.com.zip
	# cat alice.wonderland.com.key 1234567890abcdef.crt gd_bundle-g2-g1.crt > alice.wonderland.com.combined.pem

	global
	log /dev/log local0
	log /dev/log local1 debug
	log 127.0.0.1 local2

	chroot /var/lib/haproxy
	pidfile /var/run/haproxy.pid
	maxconn 4000
	user haproxy
	group haproxy
	daemon

	# turn on stats unix socket
	stats socket /var/lib/haproxy/stats

	defaults
	mode http
	log global
	option httplog
	option dontlognull
	option http-server-close
	option forwardfor except 127.0.0.0/8
	option redispatch
	retries 3
	timeout http-request 10s
	timeout queue 1m
	timeout connect 10s
	timeout client 1m
	timeout server 1m
	timeout http-keep-alive 10s
	timeout check 10s
	maxconn 3000

	frontend wonderland
	mode http
	bind *:80
	bind *:443 ssl crt /etc/ssl/wonderland.com/alice.wonderland.com.combined.pem
	redirect scheme https unless { ssl_fc }

	# https://www.haproxy.com/blog/haproxy-ssl-termination/
	# https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy/
	# https://stackoverflow.com/questions/51928504/x-forwarded-proto-https-in-frontend-or-backend-haproxy
	# passing on that browser is using https
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	http-response add-header X-Frame-Options "SAMEORIGIN"
	http-response add-header Strict-Transport-Security "max-age=15768000"

	# https://www.haproxy.com/blog/enabling-cors-in-haproxy/
	# https://stackoverflow.com/questions/58422210/haproxy-cors-no-access-control-allow-origin-header-is-present-on-the-requested
	# BEGIN CORS
	http-response set-header Access-Control-Allow-Origin "*"
	http-response set-header Access-Control-Allow-Headers "*"
	http-response set-header Access-Control-Max-Age 3628800
	http-response set-header Access-Control-Allow-Methods "*"
	http-response set-header Access-Control-Allow-Credentials "true"
	# END CORS
	# TODO: Tomcat9
	# https://stackoverflow.com/questions/59684442/tomcat-ignores-x-forwarded-proto-behind-an-apache-reverse-proxy
	# https://blog.leocat.kr/notes/2019/06/19/spring-config-x-forwerded-headers-in-tomcat
	# https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter
	# https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
	# https://serverfault.com/questions/514551/make-tomcat-use-x-real-ip
	# https://www.codebyamir.com/blog/configure-tomcat-logging-behind-load-balancer
	# <Host name="localhost" appBase="webapps"
	# unpackWARs="true" autoDeploy="true">
	# <Valve className="org.apache.catalina.valves.RemoteIpValve"
	# internalProxies="10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\|20\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\|192\\.168\\.\\d{1,3}\\.\\d{1,3}\|169\\.254\\.\\d{1,3}\\.\\d{1,3}\|127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\|172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}\|172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}\|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}\|0:0:0:0:0:0:0:1\|::1"
	# remoteIpHeader="x-forwarded-for"
	# proxiesHeader="x-forwarded-by"
	# protocolHeader="x-forwarded-proto" />
	# </Host>
	default_backend wonderland_tomcats

	backend wonderland_tomcats
	mode http
	balance source
	# http-request set-header X-Forwarded-Port %[dst_port]
	# http-request add-header X-Forwarded-Proto https if { ssl_fc }
	server tomcat1 tomcat1.farm.wonderland.com:8080 check
	server tomcat2 tomcat2.farm.wonderland.com:8080 check
	server tomcat3 tomcat3.farm.wonderland.com:8080 check

	frontend wonderland_management
	bind *:8088 ssl crt /etc/ssl/wonderland.com/alice.wonderland.com.combined.pem
	default_backend wonderland_management_sentry

	backend wonderland_management_sentry
	mode http
	balance source
	server sentry sentry.farm.wonderland.com:8088 check

	listen stats
	bind :1936 ssl crt /etc/ssl/wonderland.com/alice.wonderland.com.combined.pem
	mode http
	stats enable
	stats hide-version
	stats uri /stats
	stats auth alice:DownTheRabbitHole!