Skip to content

Instantly share code, notes, and snippets.

@meanevo meanevo/haproxy.cfg
Last active Jul 25, 2019

Embed
What would you like to do?
H2, HTTP/1.1 traffic balance/routing with HAProxy 1.7 (with SSL-Termination) and Nginx 1.10.2
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
daemon
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 2048
user haproxy
group haproxy
log 127.0.0.1 local2
stats socket /var/lib/haproxy/stats
# SSL Settings @ https://www.ssllabs.com/ssltest
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlog-normal
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 5s
#---------------------------------------------------------------------
# frontend which handles http request and redirects to https
#---------------------------------------------------------------------
frontend http-local
bind :::80 v4v6
option http-server-close
option forwardfor
# Redirect to https if not meeting exceptions defined below
acl ssl_conn ssl_fc
redirect scheme https code 301 unless ssl_conn
#---------------------------------------------------------------------
# 1) frontend which terminates ssl and proxys clear http traffic
#---------------------------------------------------------------------
frontend https-local
bind :::443 v4v6 ssl crt /etc/ssl/certs/haproxy
option forwardfor
acl application ssl_fc_sni_end -i example.com
use_backend cluster-application if application
default_backend local-default-http11
#---------------------------------------------------------------------
# 2) frontend which terminates ssl and proxys raw http2 traffic
#---------------------------------------------------------------------
frontend https-http2-local
bind :::443 v4v6 ssl crt /etc/ssl/certs/haproxy alpn h2,http/1.1
mode tcp
option tcpka
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl speak_alpn_h2 ssl_fc_alpn -i h2
use_backend local-default-http2 if speak_alpn_h2
default_backend local-default-http11
#---------------------------------------------------------------------
# backend which handles plain http/1.1 request
#---------------------------------------------------------------------
backend local-default-http11
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;"
server nginx_http 127.0.0.1:5008 check send-proxy
#---------------------------------------------------------------------
# backend which handles plain raw http/2 request
#---------------------------------------------------------------------
backend local-default-http2
mode tcp
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello
# learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
server nginx_http2 127.0.0.1:5009 check send-proxy
#---------------------------------------------------------------------
# backends for specified usage
#---------------------------------------------------------------------
backend local-application
balance roundrobin
server app1 10.0.0.201:80 check
server app2 10.0.0.202:80 check
server app3 1.2.3.4:443 check backup ssl verify none
server app4 5.6.7.8:443 check backup ssl verify none
server {
listen 127.0.0.1:5008 proxy_protocol default_server; # HTTP/1.1 server as fallback_server;
listen [::1]:5008 proxy_protocol default_server;
listen 127.0.0.1:5009 http2 proxy_protocol default_server; # HTTP/2 server without SSL as we have terminated it at haproxy
listen [::1]:5009 http2 proxy_protocol default_server;
server_name _;
server_tokens off;
set_real_ip_from 127.0.0.1; # IP or subnet of your Load-balancers
real_ip_header proxy_protocol;
real_ip_recursive on;
## Headers
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
## < CUSTOMIZE WITH YOUR NGINX ROOT/LOCATION SETTINGS BELOW > ##
## Document root
root /Library/WebServer/Documents;
location / {
index index.html index.htm index.php;
try_files $uri $uri/ =404;
}
## Pass the PHP scripts to FastCGI server listening on socket
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_pass unix:/var/opt/remi/php71/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
include fastcgi_params;
}
## Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store(Mac)
location ~ /\. {
deny all;
}
}
@bramswenson

This comment has been minimized.

Copy link

bramswenson commented Mar 7, 2017

Looks to be great work. Testing soon, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.