Skip to content

Instantly share code, notes, and snippets.

Forked from ryzy/haproxy.cfg
Created August 24, 2017 12:45
Show Gist options
  • Save pessom/e6631fb01fd9fe28a435df64775e3e29 to your computer and use it in GitHub Desktop.
Save pessom/e6631fb01fd9fe28a435df64775e3e29 to your computer and use it in GitHub Desktop.
HAProxy conf with SSL termination and HTTP/2 support
chroot /var/lib/haproxy
user haproxy
group haproxy
pidfile /var/run/
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
spread-checks 4
tune.maxrewrite 1024
tune.ssl.default-dh-param 2048
mode http
balance roundrobin
option dontlognull
option dontlog-normal
option redispatch
maxconn 5000
timeout connect 5s
timeout client 20s
timeout server 20s
timeout queue 30s
timeout http-request 5s
timeout http-keep-alive 15s
frontend http-in
bind *:80
stats enable
stats refresh 30s
#stats hide-version
stats realm Strictly\ Private
stats auth admin:admin
stats uri /admin?stats
default_backend nodes-http
frontend https-in
mode tcp
bind *:443 ssl crt /etc/ssl/dummy.pem alpn h2,http/1.1
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
use_backend nodes-http2 if { ssl_fc_alpn -i h2 }
default_backend nodes-http
backend nodes-http
server node1 web.server:80 check
backend nodes-http2
mode tcp
http-request add-header X-Forwarded-Proto https
server node1 web.server:81 check send-proxy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment