yuezhu/haproxy.cfg

## haproxy.cfg
global
    maxconn 16384
    log 127.0.0.1 len 8192 local0
    log-send-hostname
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

    tune.ssl.default-dh-param 2048

defaults
    log global
    mode http
    option httplog
    option dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

userlist admins
    group AdminGroup users user1
    user user1 password **** # Generated by `mkpasswd -m sha-512 [password]`

frontend http-in
    bind *:80
    mode http
    redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    bind *:443 ssl crt /etc/haproxy/certs/cert.pem
    mode http
    log-format "\"backend_addr\":\"%si\",\"backend_name\":\"%b\",\"request.client_ip\":\"%ci\",\"request.host\":\"%[capture.req.hdr(2),json("utf8s")]\",\"request.method\":\"%HM\",\"request.path\":\"%HU\",\"request.useragent\":\"%[capture.req.hdr(1),json("utf8s")]\",\"resp.code\":%ST,\"retries_count\":\"%rc\",\"session_duration_ms\":%Tt,\"termination_state\":\"%ts\",\"timestamp\":%Ts,\"captured_request_headers\":%hr,\"captured_response_headers\":%hs"
    reqadd X-Forwarded-Proto:\ https

    capture request header X-Transmission-Session-Id len 48
    capture response header X-Transmission-Session-Id len 48

    use_backend letsencrypt if { path_beg /.well-known/acme-challenge }
    use_backend transmission if { path_beg /transmission }
    default_backend deny

backend deny
    mode http
    http-request deny deny_status 503

backend transmission
    mode http
    http-request auth realm MyAuthRealm if !{ http_auth(admins) }
    stick-table type binary len 48 size 30k expire 30m
    stick store-response hdr(X-Transmission-Session-Id)
    stick on hdr(X-Transmission-Session-Id)

    server transmission-daemon 127.0.0.1:9091

backend letsencrypt
    server letsencrypt 127.0.0.1:80


# /etc/rsyslog.d/49-haproxy.conf
$ModLoad imudp
$UDPServerRun 514
local0.=info -/var/log/haproxy.log
local0.notice -/var/log/haproxy-status.log
# keep logs in localhost
local0.* ~
	global
	maxconn 16384
	log 127.0.0.1 len 8192 local0
	log-send-hostname
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

	tune.ssl.default-dh-param 2048

	defaults
	log global
	mode http
	option httplog
	option dontlognull
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	userlist admins
	group AdminGroup users user1
	user user1 password **** # Generated by `mkpasswd -m sha-512 [password]`

	frontend http-in
	bind *:80
	mode http
	redirect scheme https code 301 if !{ ssl_fc }

	frontend https-in
	bind *:443 ssl crt /etc/haproxy/certs/cert.pem
	mode http
	log-format "\"backend_addr\":\"%si\",\"backend_name\":\"%b\",\"request.client_ip\":\"%ci\",\"request.host\":\"%[capture.req.hdr(2),json("utf8s")]\",\"request.method\":\"%HM\",\"request.path\":\"%HU\",\"request.useragent\":\"%[capture.req.hdr(1),json("utf8s")]\",\"resp.code\":%ST,\"retries_count\":\"%rc\",\"session_duration_ms\":%Tt,\"termination_state\":\"%ts\",\"timestamp\":%Ts,\"captured_request_headers\":%hr,\"captured_response_headers\":%hs"
	reqadd X-Forwarded-Proto:\ https

	capture request header X-Transmission-Session-Id len 48
	capture response header X-Transmission-Session-Id len 48

	use_backend letsencrypt if { path_beg /.well-known/acme-challenge }
	use_backend transmission if { path_beg /transmission }
	default_backend deny

	backend deny
	mode http
	http-request deny deny_status 503

	backend transmission
	mode http
	http-request auth realm MyAuthRealm if !{ http_auth(admins) }
	stick-table type binary len 48 size 30k expire 30m
	stick store-response hdr(X-Transmission-Session-Id)
	stick on hdr(X-Transmission-Session-Id)

	server transmission-daemon 127.0.0.1:9091

	backend letsencrypt
	server letsencrypt 127.0.0.1:80


	# /etc/rsyslog.d/49-haproxy.conf
	$ModLoad imudp
	$UDPServerRun 514
	local0.=info -/var/log/haproxy.log
	local0.notice -/var/log/haproxy-status.log
	# keep logs in localhost
	local0.* ~