bbs/clrghouz
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Page: Haproxy Configuration
Pages
Dependancies Docker Environment Variables Haproxy Configuration Home Installation Minio Configuration Upgrade Postgres (Major Versions)
4 Haproxy Configuration
deon edited this page 2024-05-28 12:37:42 +00:00
Table of Contents

Setting up haproxy

We need a few configuration files for haproxy. All these files go in the haproxy directory /srv/docker/clrghouz/haproxy). Make adjustments as appropriate.

This is 10-default.cfg

global
    log stdout format raw local0
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    user haproxy
    group haproxy

defaults
    mode tcp
    timeout connect 5s
    timeout client 10m
    timeout server 10m

#    email-alert mailers mailers
#    email-alert from me@example.com
#    email-alert to me@example.com

    option tcplog
    log global

#mailers mailers
#    mailer smtp [YOUR MAIL SERVER]:25

#resolvers dns
#    nameserver dns1 [YOUR DNS SERVER]:53

frontend stats
    bind :::8080
    mode http
    stats uri /
    stats enable
    stats refresh 10s

This is 20-clrghouz.cfg

# EMSI
frontend fe-clrg-emsi
    bind :::60179 v4v6
    default_backend be-clrg-emsi
    maxconn 4

    # Track the backend state - and reject any attempts if its down
    acl be-emsi-dead nbsrv(be-clrg-emsi) lt 1
    tcp-request connection reject if be-emsi-dead

    # stick table definition for storing rates
    stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)

    ## Allow clean known IPs to bypass the filter
    tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
    # Only allow 1 connections per IP opened
    tcp-request connection reject if { src_conn_cur ge 1 }
    # Only allow 1 connections per 60s
    tcp-request connection reject if { src_conn_rate ge 3 }
    tcp-request connection track-sc1 src

backend be-clrg-emsi
    balance roundrobin
    server clrghouz clrghouz-web-1:60179 send-proxy-v2

# BINKP
frontend fe-clrg-binkp
    bind :::24554 v4v6
    default_backend be-clrg-binkp
    maxconn 10

    stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)

    ## Allow clean known IPs to bypass the filter
    tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
    # Only allow 1 connections per IP opened
    tcp-request connection reject if { src_conn_cur ge 1 }
    # Only allow 1 connections per 60s
    tcp-request connection reject if { src_conn_rate ge 3 }
    tcp-request connection track-sc1 src

# BINKPS
frontend fe-clrg-binkps
    bind :::24553 v4v6 tfo ssl crt /usr/local/etc/haproxy/config/binkps.pem
    default_backend be-clrg-binkp
    maxconn 10

backend be-clrg-binkp
    balance roundrobin
    server clrghouz clrghouz-web-1:24554 send-proxy-v2

This is 20-https.cfg

frontend fe-http
    mode http
    bind :::80
    bind :::443 ssl crt-list /usr/local/etc/haproxy/config/crt-list.conf
    http-request add-header X-Forwarded-Proto https
    http-request redirect scheme https unless { ssl_fc }
    use_backend be-http-clrghouz if { ssl_fc_sni -i clrghouz.bbs.dege.au }
#    default_backend be-http-docker
    default_backend be-http-clrghouz

backend be-http-clrghouz
    mode http
    balance leastconn
    server clrghouz clrghouz-web-1:80

#backend be-http-docker
#    mode http
#    balance leastconn
#    server docker [YOUR WEBSERVER]:80

This is binkps.pem:

-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIJALsoV61BAIR7MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
BAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UE
ChMEQUNNRTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTgw
NjE5MjAxNTE5WhcNMjgwNjE2MjAxNTE5WjBgMQswCQYDVQQGEwJBVTEMMAoGA1UE
CBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNVBAoTBEFDTUUxDDAKBgNV
BAsTA1dlYjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAv0hEQONbM1iz6nwTWwFuByY0sBK8hXlgyOTJftnQr+ffhKXn
f30WovFmy1FBTUDa42T5Fsa6aihw+QAuLFtnMogZRIqp8Ow9ovGLv7Wo6KRoQ6Db
JJ0FofUBiMVQy79/alUlgEYwuPlgjWwl7+pPZobXjaytAfK7WcGxMKiy6cBpFHMD
LOGNsnjSyFDZtRSMyOd07SZDhS1J5IV25v76URsyYQU+kriqZK8AkC2emz/hkcVF
10nlli2R6JsidiwN4JAPG1zKA3p0Ki0R6uG//1dQ9MuCIiCZkJklmg3ZmhjpBCY0
n+nB+F3XSDsyYR7MWZvfRHyx3w/WVpGdVymmrwIDAQABo4HmMIHjMBEGCWCGSAGG
+EIBAQQEAwIGQDAdBgNVHQ4EFgQUV31E9ULcEQkSmlgq1uQ0WiyR/DswgZIGA1Ud
IwSBijCBh4AUV31E9ULcEQkSmlgq1uQ0WiyR/DuhZKRiMGAxCzAJBgNVBAYTAkFV
MQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMEQUNN
RTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3SCCQC7KFetQQCEezAa
BgNVHREEEzARhwR/AAABgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAAZL
WWeY7sbVX6noNjiQWe9jzBKG994f5/Q5dpqT6ZHpLsSU2AQ85QfUXma3rAPwSj0+
C4V7IRlrwlFXXqe8LxWxEJo0DlHOqDZTxQpHvmwATRxTBHDOS4kMjbj5oAwq0yXz
dNxxOI5Pv9j6VIMMIgW6dFnh/GRG5w5lndtWisCU8ydG/PkeMkvi3OTQDTq64qgp
lt0OTDkTyoWmpq46k3NDR2n6ar7DwEmamMWPkR9rNLjOde2AlKMuNZ4wUMVAYasr
xDMmMCe/matHd6Ry2kvBkBRFkFaJyR2+D2vpYSbT8fSFOKv6w+5qJI8pOQ1Yn+Di
3+EttBcVhrZfxoL8jYw=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/SERA41szWLPq
fBNbAW4HJjSwEryFeWDI5Ml+2dCv59+Eped/fRai8WbLUUFNQNrjZPkWxrpqKHD5
AC4sW2cyiBlEiqnw7D2i8Yu/tajopGhDoNsknQWh9QGIxVDLv39qVSWARjC4+WCN
bCXv6k9mhteNrK0B8rtZwbEwqLLpwGkUcwMs4Y2yeNLIUNm1FIzI53TtJkOFLUnk
hXbm/vpRGzJhBT6SuKpkrwCQLZ6bP+GRxUXXSeWWLZHomyJ2LA3gkA8bXMoDenQq
LRHq4b//V1D0y4IiIJmQmSWaDdmaGOkEJjSf6cH4XddIOzJhHsxZm99EfLHfD9ZW
kZ1XKaavAgMBAAECggEAaJje4dCxZVGDCJ0ShHgyr2wf8Yw9VIt79j7NRDVdXWNh
IYsLHPbM8wsoV9O17sWhLClh4CeJdlVo+XA0z4Kn2sT7dDSTGzBDwB9veMSgeZ61
eQ2z58CJfPeaAC1NsiykQwQOfqdjKzMKrirOT/QDuR/RLSKYdHFEK5+0AdSuCQ2A
PV68FX6BnKfR/LDt6auN43ISdrnXRFna5Helyel2l3Jv/ooz9FeeTbXUa9cQcrXM
tMvd8GMr4oLnhKROcec0bTOy/3ZymbEvjjQvgxukivLLOUbQiwp2lfQWcFna4cOL
apGeameOHQceF4iIibnbDo073jS3m02WBH0ScRsj2QKBgQDxRWZWSGuJkFQOoW/b
uuwu26RAFdXLsxr2G9XMIZR+rpmhq5EoM4CL/YI5syChgYgxAj8UfwYg93wuGkN8
5VPhuytH5MIDsXq9Ci2b+WQrF5sxDK3MA3FieFZByVX80JNXtVUudzqQ6wJ1OEsY
wB+h2Uu9zssNZVugPh3wb5BsLQKBgQDK9aN97C3JtLW+xOoEYW1iCputwoDWIIqk
i6fi0mTQiQ+YbliaXWS/F7tJrUHvFFgJLZcpDKaEaN5WFjFHU+1zUDtotEiJ7bTQ
fuoyWY/8VpWn6RKwukL+mfIm2n7ZT6FC8YBU6lRPEmuGwrvuUstmIcKaAJ2bPvRt
vhRRY3u7ywKBgDIjPOADTq2Ym48qxyb/UiNuq1RR9UrOXnT0VdqEw+oLeIubLqAP
C9CLjutUqRxG4bllgRxORUTGiTy/YnTq5yKKlbTr+dFwqVPtcIrwKXu2/R4VR2yU
7pQK88naAA94fJYGbbwpNLd2ztzzJM/w5OHqWQ4JkjKndIH5Rpl3ZajFAoGABWqa
y2CDNE/bTdUJfcZv2d74mqGHOK+zo4KKn3YH9LzDqsi/GpeFecgTWnsCOHQtiUkr
MJBC3WPDEz8SX5nwy1QH0dqF2RB789h/PYrAWfahldKVihveb9cB7GGGYxxJ7HRv
fVSnnVibgAQwacLR5M7f16ZOjncWpNsexbFG+xMCgYEAj1V64k9Lz554EDCNZMQS
mzgqYg6ck+GYL/W6hdE/N3zc+KJKF4ztM/c987BbFgpJQp+uYF43jRmOcv1Oab43
mpuvZ2rDSPqrqM+fdHIx2oLPNBdBc9abTX7sQtK4WSTp16gs+MqfMWRklxWsMwWE
fO6SmAU27aAzfOccuvx3glQ=
-----END PRIVATE KEY-----

This is crt-list.conf

/usr/local/etc/haproxy/config/binkps.pem *.[YOUR DOMAIN]

This is whitelist.lst

#[IP6_PREFIX]::/MASK
2001:db8::/32