mmiranda/haproxy.cfg

## haproxy.cfg
global
    log        127.0.0.1 local2 info
    maxconn    4096
    chroot     /var/lib/haproxy
    pidfile    /var/run/haproxy.pid
    stats socket /var/lib/haproxy/stats mode 600 level admin
    stats timeout 30m
    user       haproxy
    group      haproxy
    daemon
    # ssl settings, as we want to get pretty result
    # @ https://www.ssllabs.com/ssltest
    tune.ssl.default-dh-param 2048
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA


defaults
    mode       tcp
    log        global
    #option     httplog
    option     dontlognull
    option     tcpka
    retries    3
    timeout    http-request    10s
    timeout    queue           1m
    timeout    connect         10s
    timeout    client          10m
    timeout    server          10m
    timeout    http-keep-alive 10s
    timeout    check           10s

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend myfront
    bind :::443 v4v6
    default_backend proxy_https

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend proxy_https
    #mode http
    balance roundrobin

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.
    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    server server1 proxying_to_another_elb:443 check send-proxy
	global
	log 127.0.0.1 local2 info
	maxconn 4096
	chroot /var/lib/haproxy
	pidfile /var/run/haproxy.pid
	stats socket /var/lib/haproxy/stats mode 600 level admin
	stats timeout 30m
	user haproxy
	group haproxy
	daemon
	# ssl settings, as we want to get pretty result
	# @ https://www.ssllabs.com/ssltest
	tune.ssl.default-dh-param 2048
	ssl-default-bind-options no-sslv3 no-tls-tickets
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA


	defaults
	mode tcp
	log global
	#option httplog
	option dontlognull
	option tcpka
	retries 3
	timeout http-request 10s
	timeout queue 1m
	timeout connect 10s
	timeout client 10m
	timeout server 10m
	timeout http-keep-alive 10s
	timeout check 10s

	#---------------------------------------------------------------------
	# main frontend which proxys to the backends
	#---------------------------------------------------------------------
	frontend myfront
	bind :::443 v4v6
	default_backend proxy_https

	# use tcp content accepts to detects ssl client and server hello.
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	#---------------------------------------------------------------------
	# round robin balancing between the various backends
	#---------------------------------------------------------------------
	backend proxy_https
	#mode http
	balance roundrobin

	# maximum SSL session ID length is 32 bytes.
	stick-table type binary len 32 size 30k expire 30m

	acl clienthello req_ssl_hello_type 1
	acl serverhello rep_ssl_hello_type 2

	# use tcp content accepts to detects ssl client and server hello.
	tcp-request inspect-delay 5s
	tcp-request content accept if clienthello

	# no timeout on response inspect delay by default.
	tcp-response content accept if serverhello

	# SSL session ID (SSLID) may be present on a client or server hello.
	# Its length is coded on 1 byte at offset 43 and its value starts
	# at offset 44.
	# Match and learn on request if client hello.
	stick on payload_lv(43,1) if clienthello

	# learn on response if server hello.
	stick store-response payload_lv(43,1) if serverhello

	server server1 proxying_to_another_elb:443 check send-proxy