docs/examples/certificate/http/haproxy-ssl.cfg

# HAProxy configuration generated by https://github.com/appscode/voyager
#
    DO NOT EDIT!

global
    daemon
    stats socket /tmp/haproxy
    server-state-file
    global
    server-state-base /var/state/haproxy/

    # log using a syslog socket
    log
    /dev/log local0 info
    log /dev/log local0 notice
    tune.ssl.default-dh-param
    2048
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK


defaults
    log
    global

    # https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
    #
    https://github.com/appscode/voyager/pull/403
    option dontlognull
    option http-server-close

    #
    Timeout values
    timeout client 50s
    timeout client-fin 50s
    timeout connect
    50s
    timeout server 50s
    timeout tunnel 50s

    # Configure error files

    #
    default traffic mode is http
    # mode is overwritten in case of tcp services
    mode
    http


frontend http-80
    bind *:80
    mode http

    # Limit Connections
    acl
    is_proxy_https hdr(X-Forwarded-Proto) https
    acl acme_req path_beg /.well-known/acme-challenge/
    redirect scheme https code 301 if ! is_proxy_https ! acme_req


    option httplog
    option forwardfor


    acl url_acl_voyager-operator.kube-system:56791-7jnwpk
    path_beg /.well-known/acme-challenge/
    use_backend voyager-operator.kube-system:56791-7jnwpk
    if  url_acl_voyager-operator.kube-system:56791-7jnwpk


backend voyager-operator.kube-system:56791-7jnwpk


    server pod-voyager-operator-2418478371-vn86x 10.36.1.4:56791


frontend http-443
    bind *:443  ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/ssl/private/haproxy/tls/ \ alpn http/1.1
    # Mark all cookies as secure
    rsprep ^Set-Cookie:\\ (.*) Set-Cookie:\\ \\1;\\ Secure
    # Add the HSTS header with a 6 month default max-age
    rspadd \ Strict-Transport-Security:\\ max-age=15768000
    mode http


    option httplog
    option forwardfor


    acl host_acl_web.default:80-amkcr3 hdr(host) -i kiteci.com
    acl host_acl_web.default:80-amkcr3 hdr(host) -i kiteci.com:443
    acl url_acl_web.default:80-amkcr3 path_beg /
    use_backend web.default:80-amkcr3 if host_acl_web.default:80-amkcr3 url_acl_web.default:80-amkcr3


backend web.default:80-amkcr3
    server pod-nginx-4217019353-j3dr1 10.36.1.5:80