Created
June 2, 2021 08:30
-
-
Save mqcmd196/be29f2136b62a7d74d6c3f6c7673b114 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
log /dev/log local0 | |
log /dev/log local1 notice | |
chroot /var/lib/haproxy | |
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
stats timeout 30s | |
user haproxy | |
group haproxy | |
daemon | |
# Default SSL material locations | |
ca-base /etc/ssl/certs | |
crt-base /etc/ssl/private | |
# Default ciphers to use on SSL-enabled listening sockets. | |
# For more information, see ciphers(1SSL). This list is from: | |
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
# An alternative list with additional directives can be obtained from | |
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | |
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | |
ssl-default-bind-options no-sslv3 | |
defaults | |
log global | |
mode http | |
option httplog | |
option dontlognull | |
timeout connect 5000 | |
timeout client 50000 | |
timeout server 50000 | |
errorfile 400 /etc/haproxy/errors/400.http | |
errorfile 403 /etc/haproxy/errors/403.http | |
errorfile 408 /etc/haproxy/errors/408.http | |
errorfile 500 /etc/haproxy/errors/500.http | |
errorfile 502 /etc/haproxy/errors/502.http | |
errorfile 503 /etc/haproxy/errors/503.http | |
errorfile 504 /etc/haproxy/errors/504.http | |
frontend http | |
bind *:80 | |
# redirect to https | |
# c.f. https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy/ | |
bind *:443 ssl crt /etc/haproxy/certs/yourdomain.com.pem | |
http-request del-header ^X-Forwarded-Proto: | |
http-request del-header ^X-Forwarded-For: | |
# redirect to https | |
http-request set-header X-Forwarded-Proto: https if { ssl_fc } | |
acl app1_frontend hdr(Host) -i app1.yourdomain.com | |
use_backend app1_backend if app1_frontend | |
acl app2_frontend hdr(Host) -i app2.yourdomain.com | |
use_backend app2_backend if app2_frontend | |
acl app3_frontend hdr(Host) -i app3.yourdomain.com | |
use_backend app3_backend if app3_frontend | |
acl dialogflow_frontend hdr(Host) -i dialogflow.yourdomain.com | |
use_backend dialogflow_https_backend if dialogflow_frontend | |
backend app1_backend | |
mode http | |
server app1 app1.yourdomain.com:8000 | |
backend app2_backend | |
mode http | |
server app2 app2.yourdomain.com:8080 | |
backend app3_backend | |
server app3 app3.yourdomain.com:9090 | |
backend dialogflow_https_backend | |
server dialogflow.yourdomain.com:8090 check ssl verify none |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment