-
Notifications
You must be signed in to change notification settings - Fork 141
/
haproxy-ssl.cfg
101 lines (69 loc) 路 2.76 KB
/
haproxy-ssl.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# HAProxy configuration generated by https://github.com/appscode/voyager
#
DO NOT EDIT!
global
daemon
stats socket /tmp/haproxy
server-state-file
global
server-state-base /var/state/haproxy/
# log using a syslog socket
log
/dev/log local0 info
log /dev/log local0 notice
tune.ssl.default-dh-param
2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
defaults
log
global
# https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
#
https://github.com/appscode/voyager/pull/403
option dontlognull
option http-server-close
#
Timeout values
timeout client 50s
timeout client-fin 50s
timeout connect
50s
timeout server 50s
timeout tunnel 50s
# Configure error files
#
default traffic mode is http
# mode is overwritten in case of tcp services
mode
http
frontend http-80
bind *:80
mode http
# Limit Connections
acl
is_proxy_https hdr(X-Forwarded-Proto) https
acl acme_req path_beg /.well-known/acme-challenge/
redirect scheme https code 301 if ! is_proxy_https ! acme_req
option httplog
option forwardfor
acl url_acl_voyager-operator.kube-system:56791-7jnwpk
path_beg /.well-known/acme-challenge/
use_backend voyager-operator.kube-system:56791-7jnwpk
if url_acl_voyager-operator.kube-system:56791-7jnwpk
backend voyager-operator.kube-system:56791-7jnwpk
server pod-voyager-operator-2418478371-vn86x 10.36.1.4:56791
frontend http-443
bind *:443 ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/ssl/private/haproxy/tls/ \ alpn http/1.1
# Mark all cookies as secure
rsprep ^Set-Cookie:\\ (.*) Set-Cookie:\\ \\1;\\ Secure
# Add the HSTS header with a 6 month default max-age
rspadd \ Strict-Transport-Security:\\ max-age=15768000
mode http
option httplog
option forwardfor
acl host_acl_web.default:80-amkcr3 hdr(host) -i kiteci.com
acl host_acl_web.default:80-amkcr3 hdr(host) -i kiteci.com:443
acl url_acl_web.default:80-amkcr3 path_beg /
use_backend web.default:80-amkcr3 if host_acl_web.default:80-amkcr3 url_acl_web.default:80-amkcr3
backend web.default:80-amkcr3
server pod-nginx-4217019353-j3dr1 10.36.1.5:80