tech-nova/haproxy.cfg

## haproxy.cfg
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	# ca-base /etc/ssl/certs
	# crt-base /etc/ssl/private

	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.5.14&openssl=1.4.3&hsts=yes&profile=intermediate
	# set default parameters to the intermediate configuration
	tune.ssl.default-dh-param 2048

 	ssl-default-bind-options no-sslv3 no-tls-tickets
  	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

 	ssl-default-server-options no-sslv3 no-tls-tickets
  	ssl-default-server-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

	tune.ssl.cachesize 100000 # Increase TLS session cache size and lifetime to avoid computing too many symmetric keys
	tune.ssl.lifetime 600
	tune.ssl.maxrecord 1460 # Set up a TLS record to match a TCP segment size, in order to improve client side rendering of content

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
	option  forwardfor		# Ajout de l'entete X-Forwarded-For
	http-reuse always		# Reduire la latence entre HAProxy & utilisateurs en fermant les connexions mais en les maintenant en keep-alive
	maxconn 200	       	# Attaques DDoS
	timeout connect 5s
	timeout client 50s
	timeout server 50s
	timeout http-request 5s   	# Attaques slowloris
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

listen statistics
	bind *:8778
	mode http
	stats enable
	stats show-desc Statistiques sur Seenthis
	stats uri /
	stats realm Statistiques\ Haproxy
	stats auth haproxy:motdepassetressecret
	stats refresh 10s

frontend ssl-relay
	bind :443 ssl crt /etc/haproxy/cert/
#	bind :80
#	redirect scheme https code 301 if !{ ssl_fc }
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https
	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	use_backend letsencrypt-backend if letsencrypt-acl
	default_backend webservername
	# HSTS (15768000 seconds = 6 months)
	rspadd  Strict-Transport-Security:\ max-age=15768000

backend webservername
	server webservername 127.0.0.1:8080

backend letsencrypt-backend
	server letsencrypt 127.0.0.1:54321
	global
	log /dev/log local0
	log /dev/log local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	# ca-base /etc/ssl/certs
	# crt-base /etc/ssl/private

	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.5.14&openssl=1.4.3&hsts=yes&profile=intermediate
	# set default parameters to the intermediate configuration
	tune.ssl.default-dh-param 2048

	ssl-default-bind-options no-sslv3 no-tls-tickets
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

	ssl-default-server-options no-sslv3 no-tls-tickets
	ssl-default-server-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

	tune.ssl.cachesize 100000 # Increase TLS session cache size and lifetime to avoid computing too many symmetric keys
	tune.ssl.lifetime 600
	tune.ssl.maxrecord 1460 # Set up a TLS record to match a TCP segment size, in order to improve client side rendering of content

	defaults
	log global
	mode http
	option httplog
	option dontlognull
	option forwardfor # Ajout de l'entete X-Forwarded-For
	http-reuse always # Reduire la latence entre HAProxy & utilisateurs en fermant les connexions mais en les maintenant en keep-alive
	maxconn 200 # Attaques DDoS
	timeout connect 5s
	timeout client 50s
	timeout server 50s
	timeout http-request 5s # Attaques slowloris
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	listen statistics
	bind *:8778
	mode http
	stats enable
	stats show-desc Statistiques sur Seenthis
	stats uri /
	stats realm Statistiques\ Haproxy
	stats auth haproxy:motdepassetressecret
	stats refresh 10s

	frontend ssl-relay
	bind :443 ssl crt /etc/haproxy/cert/
	# bind :80
	# redirect scheme https code 301 if !{ ssl_fc }
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https
	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	use_backend letsencrypt-backend if letsencrypt-acl
	default_backend webservername
	# HSTS (15768000 seconds = 6 months)
	rspadd Strict-Transport-Security:\ max-age=15768000

	backend webservername
	server webservername 127.0.0.1:8080

	backend letsencrypt-backend
	server letsencrypt 127.0.0.1:54321