Skip to content

Instantly share code, notes, and snippets.

@yuezhu
Last active May 6, 2024 21:14
Show Gist options
  • Save yuezhu/93184b8d8d9f7d0ada0a186cbcda9273 to your computer and use it in GitHub Desktop.
Save yuezhu/93184b8d8d9f7d0ada0a186cbcda9273 to your computer and use it in GitHub Desktop.
HAProxy config for HTTPS transmission web interface
global
maxconn 16384
log 127.0.0.1 len 8192 local0
log-send-hostname
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
userlist admins
group AdminGroup users user1
user user1 password **** # Generated by `mkpasswd -m sha-512 [password]`
frontend http-in
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
bind *:443 ssl crt /etc/haproxy/certs/cert.pem
mode http
log-format "\"backend_addr\":\"%si\",\"backend_name\":\"%b\",\"request.client_ip\":\"%ci\",\"request.host\":\"%[capture.req.hdr(2),json("utf8s")]\",\"request.method\":\"%HM\",\"request.path\":\"%HU\",\"request.useragent\":\"%[capture.req.hdr(1),json("utf8s")]\",\"resp.code\":%ST,\"retries_count\":\"%rc\",\"session_duration_ms\":%Tt,\"termination_state\":\"%ts\",\"timestamp\":%Ts,\"captured_request_headers\":%hr,\"captured_response_headers\":%hs"
reqadd X-Forwarded-Proto:\ https
capture request header X-Transmission-Session-Id len 48
capture response header X-Transmission-Session-Id len 48
use_backend letsencrypt if { path_beg /.well-known/acme-challenge }
use_backend transmission if { path_beg /transmission }
default_backend deny
backend deny
mode http
http-request deny deny_status 503
backend transmission
mode http
http-request auth realm MyAuthRealm if !{ http_auth(admins) }
stick-table type binary len 48 size 30k expire 30m
stick store-response hdr(X-Transmission-Session-Id)
stick on hdr(X-Transmission-Session-Id)
server transmission-daemon 127.0.0.1:9091
backend letsencrypt
server letsencrypt 127.0.0.1:80
# /etc/rsyslog.d/49-haproxy.conf
$ModLoad imudp
$UDPServerRun 514
local0.=info -/var/log/haproxy.log
local0.notice -/var/log/haproxy-status.log
# keep logs in localhost
local0.* ~
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment