Geeking out with HAproxy on pfSense: The ultimate port 443 TLS/SSL router | http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate

## haproxy.cfg
global
	maxconn			2000
	stats socket /tmp/haproxy.socket level admin
	uid			80
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	# Modern browser compatibility only as mentioned here:
	# https://wiki.mozilla.org/Security/Server_Side_TLS
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

	# Time-to-first-Byte (TTFB) value needs to be optimized based on
	# the actual public certificate chain
	# see https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/
	tune.ssl.maxrecord 1370

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend HTTP_redirect
	bind			0.0.0.0:80 name 0.0.0.0:80
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	default_backend		_ssl-redirect_http_ipvANY

frontend LAN_HTTPS
	bind			10.108.2.1:443 name 10.108.2.1:443 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/LAN_HTTPS.pem
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	reqadd X-Forwarded-Proto:\ http if !https
	reqadd X-Forwarded-Proto:\ https if https
	timeout client		30000
	# Remove headers that expose security-sensitive information.
	rspidel ^Server:.*$
	rspidel ^X-Powered-By:.*$
	rspidel ^X-AspNet-Version:.*$
	default_backend		gwsch01_http_ipvANY
	# add some security related headers
	rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block


frontend WAN_443-merged
	bind			178.26.150.88:443 name 178.26.150.88:443
	mode			tcp
	log			global
	timeout client		7200000
	tcp-request inspect-delay 5s

	# block SSLv3 as early as possible
	acl sslv3 req.ssl_ver 3
	tcp-request content reject if sslv3
	tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }
	acl			aclusr_custom_req.ssl_hello_type_201	req.ssl_hello_type 1
	acl			aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com	req.ssl_sni -m end -i .ssh.example.com
	acl			aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com	req.ssl_sni -m end -i .vpn.example.com
	acl			aclusr_custom_req.len_200	req.len 0
	use_backend		_WAN_HTTPS_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 !aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com !aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com
	use_backend		_WAN_HTTPS_auth_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com
	use_backend		_openvpn_tcp_ipvANY if aclusr_custom_req.len_200 aclusr_custom_req.ssl_hello_type_201
	use_backend		_WAN_SSLH_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com
	default_backend		_none_tcp_ipvANY

frontend WAN_HTTPS
	bind			127.0.0.1:2043 name 127.0.0.1:2043 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_HTTPS.pem  accept-proxy npn http/1.1
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	reqadd X-Forwarded-Proto:\ http if !https
	reqadd X-Forwarded-Proto:\ https if https
	timeout client		7200000
	# Remove headers that expose security-sensitive information.
	rspidel ^Server:.*$
	rspidel ^X-Powered-By:.*$
	rspidel ^X-AspNet-Version:.*$
	# add some security related headers
	rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block
	default_backend		_none_http_ipvANY

frontend WAN_HTTPS_auth-merged
	bind			127.0.0.1:2044 name 127.0.0.1:2044 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_HTTPS_auth.pem ca-file /var/etc/haproxy/clientca_WAN_HTTPS_auth.pem verify required  accept-proxy npn http/1.1
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	reqadd X-Forwarded-Proto:\ http if !https
	reqadd X-Forwarded-Proto:\ https if https
	timeout client		7200000
	# Remove headers that expose security-sensitive information.
	rspidel ^Server:.*$
	rspidel ^X-Powered-By:.*$
	rspidel ^X-AspNet-Version:.*$
	# add some security related headers
	rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block
	acl			aclusr_host_matches_gwsch01.vpn.example.com	hdr(host) -i gwsch01.vpn.example.com
	use_backend		gwsch01_http_ipvANY if aclusr_host_matches_gwsch01.vpn.example.com
	default_backend		_none_http_ipvANY

frontend WAN_SSLH-merged
	bind			127.0.0.1:2022 name 127.0.0.1:2022 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_SSLH.pem ca-file /var/etc/haproxy/clientca_WAN_SSLH.pem verify required  accept-proxy npn ssh/2.0
	mode			tcp
	log			global
	timeout client		7200000
	acl			aclusr_custom_ssl_fc_sni_reg_20gwsch01.ssh.example.com	ssl_fc_sni_reg gwsch01.ssh.example.com
	acl			aclusr_custom_ssl_fc_npn_20-i_20ssh_2f2.0	ssl_fc_npn -i ssh/2.0
	use_backend		SSH_gwsch01_https_ipvANY if aclusr_custom_ssl_fc_sni_reg_20gwsch01.ssh.example.com aclusr_custom_ssl_fc_npn_20-i_20ssh_2f2.0
	default_backend		_none_https_ipvANY

backend _ssl-redirect_http_ipvANY
	mode			http
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk
	redirect scheme https code 301

backend gwsch01_http_ipvANY
	mode			http
	rspadd Strict-Transport-Security:\ max-age=31536000;
	rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
	timeout connect		3000
	timeout server		7200000
	retries			2
	option			httpchk
	server			gwsch01 127.0.0.1:8443 ssl  verify none

backend _none_tcp_ipvANY
	mode			tcp
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS /
	server			none 127.0.0.1:61235 check inter 1000 disabled

backend _WAN_HTTPS_tcp_ipvANY
	mode			tcp
	timeout connect		30000
	timeout server		7200000
	retries			3
	option			httpchk
	server			WAN_HTTPS 127.0.0.1:2043 check-ssl  verify none send-proxy

backend _WAN_HTTPS_auth_tcp_ipvANY
	mode			tcp
	timeout connect		30000
	timeout server		7200000
	retries			3
	option			httpchk
	server			WAN_HTTPS_auth 127.0.0.1:2044 check-ssl  verify none send-proxy

backend _openvpn_tcp_ipvANY
	mode			tcp
	timeout connect		3000
	timeout server		7200000
	retries			2
	option			httpchk
	server			openvpn1 127.0.0.1:1194

backend _WAN_SSLH_tcp_ipvANY
	mode			tcp
	timeout connect		30000
	timeout server		7200000
	retries			3
	option			httpchk
	server			WAN_SSLH 127.0.0.1:2022 check-ssl  verify none send-proxy

backend _none_http_ipvANY
	mode			http
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS /
	server			none 127.0.0.1:61235 check inter 1000 disabled

backend _none_https_ipvANY
	mode			tcp
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS /
	server			none 127.0.0.1:61235 check inter 1000 disabled

backend SSH_gwsch01_https_ipvANY
	mode			tcp
	timeout connect		3000
	timeout server		7200000
	retries			2
	option			httpchk
	server			ssh_gwsch01 127.0.0.1:22
	global
	maxconn 2000
	stats socket /tmp/haproxy.socket level admin
	uid 80
	gid 80
	nbproc 1
	chroot /tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param 2048
	# Modern browser compatibility only as mentioned here:
	# https://wiki.mozilla.org/Security/Server_Side_TLS
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

	# Time-to-first-Byte (TTFB) value needs to be optimized based on
	# the actual public certificate chain
	# see https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/
	tune.ssl.maxrecord 1370

	listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

	frontend HTTP_redirect
	bind 0.0.0.0:80 name 0.0.0.0:80
	mode http
	log global
	option http-keep-alive
	timeout client 30000
	default_backend _ssl-redirect_http_ipvANY

	frontend LAN_HTTPS
	bind 10.108.2.1:443 name 10.108.2.1:443 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/LAN_HTTPS.pem
	mode http
	log global
	option http-keep-alive
	option forwardfor
	acl https ssl_fc
	reqadd X-Forwarded-Proto:\ http if !https
	reqadd X-Forwarded-Proto:\ https if https
	timeout client 30000
	# Remove headers that expose security-sensitive information.
	rspidel ^Server:.*$
	rspidel ^X-Powered-By:.*$
	rspidel ^X-AspNet-Version:.*$
	default_backend gwsch01_http_ipvANY
	# add some security related headers
	rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block


	frontend WAN_443-merged
	bind 178.26.150.88:443 name 178.26.150.88:443
	mode tcp
	log global
	timeout client 7200000
	tcp-request inspect-delay 5s

	# block SSLv3 as early as possible
	acl sslv3 req.ssl_ver 3
	tcp-request content reject if sslv3
	tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }
	acl aclusr_custom_req.ssl_hello_type_201 req.ssl_hello_type 1
	acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com req.ssl_sni -m end -i .ssh.example.com
	acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com req.ssl_sni -m end -i .vpn.example.com
	acl aclusr_custom_req.len_200 req.len 0
	use_backend _WAN_HTTPS_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 !aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com !aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com
	use_backend _WAN_HTTPS_auth_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com
	use_backend _openvpn_tcp_ipvANY if aclusr_custom_req.len_200 aclusr_custom_req.ssl_hello_type_201
	use_backend _WAN_SSLH_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com
	default_backend _none_tcp_ipvANY

	frontend WAN_HTTPS
	bind 127.0.0.1:2043 name 127.0.0.1:2043 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_HTTPS.pem accept-proxy npn http/1.1
	mode http
	log global
	option http-keep-alive
	option forwardfor
	acl https ssl_fc
	reqadd X-Forwarded-Proto:\ http if !https
	reqadd X-Forwarded-Proto:\ https if https
	timeout client 7200000
	# Remove headers that expose security-sensitive information.
	rspidel ^Server:.*$
	rspidel ^X-Powered-By:.*$
	rspidel ^X-AspNet-Version:.*$
	# add some security related headers
	rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block
	default_backend _none_http_ipvANY

	frontend WAN_HTTPS_auth-merged
	bind 127.0.0.1:2044 name 127.0.0.1:2044 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_HTTPS_auth.pem ca-file /var/etc/haproxy/clientca_WAN_HTTPS_auth.pem verify required accept-proxy npn http/1.1
	mode http
	log global
	option http-keep-alive
	option forwardfor
	acl https ssl_fc
	reqadd X-Forwarded-Proto:\ http if !https
	reqadd X-Forwarded-Proto:\ https if https
	timeout client 7200000
	# Remove headers that expose security-sensitive information.
	rspidel ^Server:.*$
	rspidel ^X-Powered-By:.*$
	rspidel ^X-AspNet-Version:.*$
	# add some security related headers
	rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block
	acl aclusr_host_matches_gwsch01.vpn.example.com hdr(host) -i gwsch01.vpn.example.com
	use_backend gwsch01_http_ipvANY if aclusr_host_matches_gwsch01.vpn.example.com
	default_backend _none_http_ipvANY

	frontend WAN_SSLH-merged
	bind 127.0.0.1:2022 name 127.0.0.1:2022 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_SSLH.pem ca-file /var/etc/haproxy/clientca_WAN_SSLH.pem verify required accept-proxy npn ssh/2.0
	mode tcp
	log global
	timeout client 7200000
	acl aclusr_custom_ssl_fc_sni_reg_20gwsch01.ssh.example.com ssl_fc_sni_reg gwsch01.ssh.example.com
	acl aclusr_custom_ssl_fc_npn_20-i_20ssh_2f2.0 ssl_fc_npn -i ssh/2.0
	use_backend SSH_gwsch01_https_ipvANY if aclusr_custom_ssl_fc_sni_reg_20gwsch01.ssh.example.com aclusr_custom_ssl_fc_npn_20-i_20ssh_2f2.0
	default_backend _none_https_ipvANY

	backend _ssl-redirect_http_ipvANY
	mode http
	timeout connect 30000
	timeout server 30000
	retries 3
	option httpchk
	redirect scheme https code 301

	backend gwsch01_http_ipvANY
	mode http
	rspadd Strict-Transport-Security:\ max-age=31536000;
	rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
	timeout connect 3000
	timeout server 7200000
	retries 2
	option httpchk
	server gwsch01 127.0.0.1:8443 ssl verify none

	backend _none_tcp_ipvANY
	mode tcp
	timeout connect 30000
	timeout server 30000
	retries 3
	option httpchk OPTIONS /
	server none 127.0.0.1:61235 check inter 1000 disabled

	backend _WAN_HTTPS_tcp_ipvANY
	mode tcp
	timeout connect 30000
	timeout server 7200000
	retries 3
	option httpchk
	server WAN_HTTPS 127.0.0.1:2043 check-ssl verify none send-proxy

	backend _WAN_HTTPS_auth_tcp_ipvANY
	mode tcp
	timeout connect 30000
	timeout server 7200000
	retries 3
	option httpchk
	server WAN_HTTPS_auth 127.0.0.1:2044 check-ssl verify none send-proxy

	backend _openvpn_tcp_ipvANY
	mode tcp
	timeout connect 3000
	timeout server 7200000
	retries 2
	option httpchk
	server openvpn1 127.0.0.1:1194

	backend _WAN_SSLH_tcp_ipvANY
	mode tcp
	timeout connect 30000
	timeout server 7200000
	retries 3
	option httpchk
	server WAN_SSLH 127.0.0.1:2022 check-ssl verify none send-proxy

	backend _none_http_ipvANY
	mode http
	timeout connect 30000
	timeout server 30000
	retries 3
	option httpchk OPTIONS /
	server none 127.0.0.1:61235 check inter 1000 disabled

	backend _none_https_ipvANY
	mode tcp
	timeout connect 30000
	timeout server 30000
	retries 3
	option httpchk OPTIONS /
	server none 127.0.0.1:61235 check inter 1000 disabled

	backend SSH_gwsch01_https_ipvANY
	mode tcp
	timeout connect 3000
	timeout server 7200000
	retries 2
	option httpchk
	server ssh_gwsch01 127.0.0.1:22