lucize/haproxy.cfg

## haproxy.cfg

# Global parameters
global

        # Log events to a remote syslog server at given address using the
        # specified facility and verbosity level. Multiple log options
        # are allowed.
        #log 10.0.0.1 daemon info
        log /dev/log    local0
        log /dev/log    local1 notice

        # Specifiy the maximum number of allowed connections.
        maxconn 32000

        # Raise the ulimit for the maximum allowed number of open socket
        # descriptors per process. This is usually at least twice the
        # number of allowed connections (maxconn * 2 + nb_servers + 1) .
        ulimit-n 65535

        # Drop privileges (setuid, setgid), default is "root" on OpenWrt.
        uid 0
        gid 0

        # Perform chroot into the specified directory.
        #chroot /var/run/haproxy/

        # Daemonize on startup
        daemon

        nosplice
        # Enable debugging
        #debug

        # Spawn given number of processes and distribute load among them,
        # used for multi-core environments or to circumvent per-process
        # limits like number of open file descriptors. Default is 1.
        nbproc 2

        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
        tune.ssl.default-dh-param 2048


defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull

#       option forwardfor
#       option http-server-close

        option http-no-delay
        option contstats
        option logasap

        balance source
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        timeout queue 30s

# skype
listen skype_2015_proxy

        # Disable this instance without commenting out the section.
        #disabled

        # Bind to port 443

        # fullchain.cer.all is a fullchain.cer combined with meet.domain.tld.key
        # the certificate should also contain the webext.domain.tld,lyncdiscover.domain.tld,fs.domain.tld,dialin.domain.tld

        bind <EXTERNAL_IP>:443 ssl crt /etc/acme/meet.domain.tld/fullchain.cer.all alpn http/1.1
        # This is a HTTP proxy
        mode http

        # Capture the User-Agent Header, so that it is Added to the Log
        capture request header User-Agent len 50
        capture request header Content-Length len 120
        capture response header Content-Length len 120

        server SfB_Frontend <INTERNAL_IP>:4443 check ssl verify none

	# Global parameters
	global

	# Log events to a remote syslog server at given address using the
	# specified facility and verbosity level. Multiple log options
	# are allowed.
	#log 10.0.0.1 daemon info
	log /dev/log local0
	log /dev/log local1 notice

	# Specifiy the maximum number of allowed connections.
	maxconn 32000

	# Raise the ulimit for the maximum allowed number of open socket
	# descriptors per process. This is usually at least twice the
	# number of allowed connections (maxconn * 2 + nb_servers + 1) .
	ulimit-n 65535

	# Drop privileges (setuid, setgid), default is "root" on OpenWrt.
	uid 0
	gid 0

	# Perform chroot into the specified directory.
	#chroot /var/run/haproxy/

	# Daemonize on startup
	daemon

	nosplice
	# Enable debugging
	#debug

	# Spawn given number of processes and distribute load among them,
	# used for multi-core environments or to circumvent per-process
	# limits like number of open file descriptors. Default is 1.
	nbproc 2

	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
	tune.ssl.default-dh-param 2048


	defaults
	log global
	mode http
	option httplog
	option dontlognull

	# option forwardfor
	# option http-server-close

	option http-no-delay
	option contstats
	option logasap

	balance source
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	timeout queue 30s

	# skype
	listen skype_2015_proxy

	# Disable this instance without commenting out the section.
	#disabled

	# Bind to port 443

	# fullchain.cer.all is a fullchain.cer combined with meet.domain.tld.key
	# the certificate should also contain the webext.domain.tld,lyncdiscover.domain.tld,fs.domain.tld,dialin.domain.tld

	bind <EXTERNAL_IP>:443 ssl crt /etc/acme/meet.domain.tld/fullchain.cer.all alpn http/1.1
	# This is a HTTP proxy
	mode http

	# Capture the User-Agent Header, so that it is Added to the Log
	capture request header User-Agent len 50
	capture request header Content-Length len 120
	capture response header Content-Length len 120

	server SfB_Frontend <INTERNAL_IP>:4443 check ssl verify none