From 49302b4117cc6327a402762d8b3178e412c83719 Mon Sep 17 00:00:00 2001 From: deon Date: Tue, 28 May 2024 12:15:07 +0000 Subject: [PATCH] Add Haproxy Configuration --- Haproxy-Configuration.md | 182 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 182 insertions(+) create mode 100644 Haproxy-Configuration.md diff --git a/Haproxy-Configuration.md b/Haproxy-Configuration.md new file mode 100644 index 0000000..8f92012 --- /dev/null +++ b/Haproxy-Configuration.md @@ -0,0 +1,182 @@ +# Setting up haproxy + +We need a few configuration files for haproxy. All these files go in the haproxy directory `/srv/docker/clrghouz/haproxy`). Make adjustments as appropriate. + +This is `10-default.cfg` +```cfg +global + log stdout format raw local0 + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + user haproxy + group haproxy + +defaults + mode tcp + timeout connect 5s + timeout client 10m + timeout server 10m + +# email-alert mailers mailers +# email-alert from me@example.com +# email-alert to me@example.com + + option tcplog + log global + +#mailers mailers +# mailer smtp [YOUR MAIL SERVER]:25 + +#resolvers dns +# nameserver dns1 [YOUR DNS SERVER]:53 + +frontend stats + bind :::8080 + mode http + stats uri / + stats enable + stats refresh 10s +``` + +This is `20-clrghouz.cfg` +```cfg +# EMSI +frontend fe-clrg-emsi + bind :::60179 v4v6 + default_backend be-clrg-emsi + maxconn 4 + + # Track the backend state - and reject any attempts if its down + acl be-emsi-dead nbsrv(be-clrg-emsi) lt 1 + tcp-request connection reject if be-emsi-dead + + # stick table definition for storing rates + stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s) + + ## Allow clean known IPs to bypass the filter + tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst } + # Only allow 1 connections per IP opened + tcp-request connection reject if { src_conn_cur ge 1 } + # Only allow 1 connections per 60s + tcp-request connection reject if { src_conn_rate ge 3 } + tcp-request connection track-sc1 src + +backend be-clrg-emsi + balance roundrobin + server clrghouz clrghouz-web-1:60179 send-proxy-v2 + +# BINKP +frontend fe-clrg-binkp + bind :::24554 v4v6 + default_backend be-clrg-binkp + maxconn 10 + + stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s) + + ## Allow clean known IPs to bypass the filter + tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst } + # Only allow 1 connections per IP opened + tcp-request connection reject if { src_conn_cur ge 1 } + # Only allow 1 connections per 60s + tcp-request connection reject if { src_conn_rate ge 3 } + tcp-request connection track-sc1 src + +# BINKPS +frontend fe-clrg-binkps + bind :::24553 v4v6 tfo ssl crt /usr/local/etc/haproxy/config/binkps.pem + default_backend be-clrg-binkp + maxconn 10 + +backend be-clrg-binkp + balance roundrobin + server clrghouz clrghouz-web-1:24554 send-proxy-v2 +``` + +This is `20-https.cfg` +```cfg +frontend fe-http + mode http + bind :::80 + bind :::443 ssl crt-list /usr/local/etc/haproxy/config/crt-list.conf + http-request add-header X-Forwarded-Proto https + http-request redirect scheme https unless { ssl_fc } + use_backend be-http-clrghouz if { ssl_fc_sni -i clrghouz.bbs.dege.au } +# default_backend be-http-docker + +backend be-http-clrghouz + mode http + balance leastconn + server clrghouz clrghouz-web-1:80 + +#backend be-http-docker +# mode http +# balance leastconn +# server docker [YOUR WEBSERVER]:80 +``` + +This is `binkps.pem`: +```ssl +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIJALsoV61BAIR7MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV +BAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UE +ChMEQUNNRTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTgw +NjE5MjAxNTE5WhcNMjgwNjE2MjAxNTE5WjBgMQswCQYDVQQGEwJBVTEMMAoGA1UE +CBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNVBAoTBEFDTUUxDDAKBgNV +BAsTA1dlYjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAv0hEQONbM1iz6nwTWwFuByY0sBK8hXlgyOTJftnQr+ffhKXn +f30WovFmy1FBTUDa42T5Fsa6aihw+QAuLFtnMogZRIqp8Ow9ovGLv7Wo6KRoQ6Db +JJ0FofUBiMVQy79/alUlgEYwuPlgjWwl7+pPZobXjaytAfK7WcGxMKiy6cBpFHMD +LOGNsnjSyFDZtRSMyOd07SZDhS1J5IV25v76URsyYQU+kriqZK8AkC2emz/hkcVF +10nlli2R6JsidiwN4JAPG1zKA3p0Ki0R6uG//1dQ9MuCIiCZkJklmg3ZmhjpBCY0 +n+nB+F3XSDsyYR7MWZvfRHyx3w/WVpGdVymmrwIDAQABo4HmMIHjMBEGCWCGSAGG ++EIBAQQEAwIGQDAdBgNVHQ4EFgQUV31E9ULcEQkSmlgq1uQ0WiyR/DswgZIGA1Ud +IwSBijCBh4AUV31E9ULcEQkSmlgq1uQ0WiyR/DuhZKRiMGAxCzAJBgNVBAYTAkFV +MQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMEQUNN +RTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3SCCQC7KFetQQCEezAa +BgNVHREEEzARhwR/AAABgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAAZL +WWeY7sbVX6noNjiQWe9jzBKG994f5/Q5dpqT6ZHpLsSU2AQ85QfUXma3rAPwSj0+ +C4V7IRlrwlFXXqe8LxWxEJo0DlHOqDZTxQpHvmwATRxTBHDOS4kMjbj5oAwq0yXz +dNxxOI5Pv9j6VIMMIgW6dFnh/GRG5w5lndtWisCU8ydG/PkeMkvi3OTQDTq64qgp +lt0OTDkTyoWmpq46k3NDR2n6ar7DwEmamMWPkR9rNLjOde2AlKMuNZ4wUMVAYasr +xDMmMCe/matHd6Ry2kvBkBRFkFaJyR2+D2vpYSbT8fSFOKv6w+5qJI8pOQ1Yn+Di +3+EttBcVhrZfxoL8jYw= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/SERA41szWLPq +fBNbAW4HJjSwEryFeWDI5Ml+2dCv59+Eped/fRai8WbLUUFNQNrjZPkWxrpqKHD5 +AC4sW2cyiBlEiqnw7D2i8Yu/tajopGhDoNsknQWh9QGIxVDLv39qVSWARjC4+WCN +bCXv6k9mhteNrK0B8rtZwbEwqLLpwGkUcwMs4Y2yeNLIUNm1FIzI53TtJkOFLUnk +hXbm/vpRGzJhBT6SuKpkrwCQLZ6bP+GRxUXXSeWWLZHomyJ2LA3gkA8bXMoDenQq +LRHq4b//V1D0y4IiIJmQmSWaDdmaGOkEJjSf6cH4XddIOzJhHsxZm99EfLHfD9ZW +kZ1XKaavAgMBAAECggEAaJje4dCxZVGDCJ0ShHgyr2wf8Yw9VIt79j7NRDVdXWNh +IYsLHPbM8wsoV9O17sWhLClh4CeJdlVo+XA0z4Kn2sT7dDSTGzBDwB9veMSgeZ61 +eQ2z58CJfPeaAC1NsiykQwQOfqdjKzMKrirOT/QDuR/RLSKYdHFEK5+0AdSuCQ2A +PV68FX6BnKfR/LDt6auN43ISdrnXRFna5Helyel2l3Jv/ooz9FeeTbXUa9cQcrXM +tMvd8GMr4oLnhKROcec0bTOy/3ZymbEvjjQvgxukivLLOUbQiwp2lfQWcFna4cOL +apGeameOHQceF4iIibnbDo073jS3m02WBH0ScRsj2QKBgQDxRWZWSGuJkFQOoW/b +uuwu26RAFdXLsxr2G9XMIZR+rpmhq5EoM4CL/YI5syChgYgxAj8UfwYg93wuGkN8 +5VPhuytH5MIDsXq9Ci2b+WQrF5sxDK3MA3FieFZByVX80JNXtVUudzqQ6wJ1OEsY +wB+h2Uu9zssNZVugPh3wb5BsLQKBgQDK9aN97C3JtLW+xOoEYW1iCputwoDWIIqk +i6fi0mTQiQ+YbliaXWS/F7tJrUHvFFgJLZcpDKaEaN5WFjFHU+1zUDtotEiJ7bTQ +fuoyWY/8VpWn6RKwukL+mfIm2n7ZT6FC8YBU6lRPEmuGwrvuUstmIcKaAJ2bPvRt +vhRRY3u7ywKBgDIjPOADTq2Ym48qxyb/UiNuq1RR9UrOXnT0VdqEw+oLeIubLqAP +C9CLjutUqRxG4bllgRxORUTGiTy/YnTq5yKKlbTr+dFwqVPtcIrwKXu2/R4VR2yU +7pQK88naAA94fJYGbbwpNLd2ztzzJM/w5OHqWQ4JkjKndIH5Rpl3ZajFAoGABWqa +y2CDNE/bTdUJfcZv2d74mqGHOK+zo4KKn3YH9LzDqsi/GpeFecgTWnsCOHQtiUkr +MJBC3WPDEz8SX5nwy1QH0dqF2RB789h/PYrAWfahldKVihveb9cB7GGGYxxJ7HRv +fVSnnVibgAQwacLR5M7f16ZOjncWpNsexbFG+xMCgYEAj1V64k9Lz554EDCNZMQS +mzgqYg6ck+GYL/W6hdE/N3zc+KJKF4ztM/c987BbFgpJQp+uYF43jRmOcv1Oab43 +mpuvZ2rDSPqrqM+fdHIx2oLPNBdBc9abTX7sQtK4WSTp16gs+MqfMWRklxWsMwWE +fO6SmAU27aAzfOccuvx3glQ= +-----END PRIVATE KEY----- +``` + +This is `crt-list.cfg` +```cfg +/usr/local/etc/haproxy/ssl/cert.pem *.[YOUR DOMAIN] +``` + +This is `whitelist.cfg` +```cfg +#[IP6_PREFIX]::/MASK +``` \ No newline at end of file