/
haproxy.cfg
134 lines (104 loc) · 3.07 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
global
tune.ssl.default-dh-param 1024
defaults
timeout connect 5s
timeout client 50s
timeout server 50s
frontend http-in
mode http
option forwardfor
bind *:80
reqadd X-Forwarded-Proto:\ http
acl is_cert_validation path -i -m beg "/.well-known/acme-challenge/"
use_backend cert-provider if is_cert_validation
acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
use_backend backend_api if host_api
acl host_registry hdr_dom(host) -i "registry.${HAPROXY_HOSTNAME}"
use_backend backend_registry if host_registry
acl host_vpn hdr_dom(host) -i "vpn.${HAPROXY_HOSTNAME}"
use_backend backend_vpn if host_vpn
acl host_s3 hdr_dom(host) -i "s3.${HAPROXY_HOSTNAME}"
use_backend backend_s3 if host_s3
frontend ssl-in
mode tcp
bind *:443
tcp-request inspect-delay 2s
tcp-request content accept if { req.ssl_hello_type 1 }
acl is_ssl req.ssl_ver 2:3.4
acl host_tunnel req_ssl_sni -i "tunnel.${HAPROXY_HOSTNAME}"
use_backend redirect-to-tunnel-in if host_tunnel
use_backend redirect-to-https-in if is_ssl
use_backend vpn-devices if !is_ssl
backend redirect-to-https-in
mode tcp
balance roundrobin
server localhost 127.0.0.1:444 send-proxy-v2
backend redirect-to-tunnel-in
mode tcp
balance roundrobin
server localhost 127.0.0.1:3129
frontend https-in
mode http
option forwardfor
bind 127.0.0.1:444 ssl crt /etc/ssl/private/open-balena.pem accept-proxy
reqadd X-Forwarded-Proto:\ https
acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
use_backend backend_api if host_api
acl host_registry hdr_dom(host) -i "registry.${HAPROXY_HOSTNAME}"
use_backend backend_registry if host_registry
acl host_vpn hdr_dom(host) -i "vpn.${HAPROXY_HOSTNAME}"
use_backend backend_vpn if host_vpn
acl host_s3 hdr_dom(host) -i "s3.${HAPROXY_HOSTNAME}"
use_backend backend_s3 if host_s3
backend backend_api
mode http
option forwardfor
balance roundrobin
server balena_api_1 api:80 check port 80
backend backend_registry
mode http
option forwardfor
balance roundrobin
server balena_registry_1 registry:80 check port 80
backend backend_vpn
mode http
option forwardfor
balance roundrobin
server balena_vpn_1 vpn:80 check port 80
backend backend_s3
mode http
option forwardfor
balance roundrobin
server balena_s3_1 s3:80 check port 80
backend cert-provider
mode http
option forwardfor
balance roundrobin
server balena_cert-provider_1 cert-provider:80 no-check
backend vpn-devices
mode tcp
server balena_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
frontend db
mode tcp
bind *:5432
default_backend backend_db
timeout client 1h
backend backend_db
mode tcp
server balena_db_1 db:5432 check port 5432
frontend redis
mode tcp
bind *:6379
default_backend backend_redis
timeout client 1h
backend backend_redis
mode tcp
server balena_redis_1 redis:6379 check port 6379
listen vpn-tunnel
mode tcp
bind *:3128
server balena_vpn vpn:3128 check port 3128
listen vpn-tunnel-tls
mode tcp
bind *:3129 ssl crt /etc/ssl/private/open-balena.pem
server balena_vpn vpn:3128 check port 3128