Add Haproxy Configuration
parent
01356744f1
commit
49302b4117
182
Haproxy-Configuration.md
Normal file
182
Haproxy-Configuration.md
Normal file
@ -0,0 +1,182 @@
|
|||||||
|
# Setting up haproxy
|
||||||
|
|
||||||
|
We need a few configuration files for haproxy. All these files go in the haproxy directory `/srv/docker/clrghouz/haproxy`). Make adjustments as appropriate.
|
||||||
|
|
||||||
|
This is `10-default.cfg`
|
||||||
|
```cfg
|
||||||
|
global
|
||||||
|
log stdout format raw local0
|
||||||
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||||||
|
user haproxy
|
||||||
|
group haproxy
|
||||||
|
|
||||||
|
defaults
|
||||||
|
mode tcp
|
||||||
|
timeout connect 5s
|
||||||
|
timeout client 10m
|
||||||
|
timeout server 10m
|
||||||
|
|
||||||
|
# email-alert mailers mailers
|
||||||
|
# email-alert from me@example.com
|
||||||
|
# email-alert to me@example.com
|
||||||
|
|
||||||
|
option tcplog
|
||||||
|
log global
|
||||||
|
|
||||||
|
#mailers mailers
|
||||||
|
# mailer smtp [YOUR MAIL SERVER]:25
|
||||||
|
|
||||||
|
#resolvers dns
|
||||||
|
# nameserver dns1 [YOUR DNS SERVER]:53
|
||||||
|
|
||||||
|
frontend stats
|
||||||
|
bind :::8080
|
||||||
|
mode http
|
||||||
|
stats uri /
|
||||||
|
stats enable
|
||||||
|
stats refresh 10s
|
||||||
|
```
|
||||||
|
|
||||||
|
This is `20-clrghouz.cfg`
|
||||||
|
```cfg
|
||||||
|
# EMSI
|
||||||
|
frontend fe-clrg-emsi
|
||||||
|
bind :::60179 v4v6
|
||||||
|
default_backend be-clrg-emsi
|
||||||
|
maxconn 4
|
||||||
|
|
||||||
|
# Track the backend state - and reject any attempts if its down
|
||||||
|
acl be-emsi-dead nbsrv(be-clrg-emsi) lt 1
|
||||||
|
tcp-request connection reject if be-emsi-dead
|
||||||
|
|
||||||
|
# stick table definition for storing rates
|
||||||
|
stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)
|
||||||
|
|
||||||
|
## Allow clean known IPs to bypass the filter
|
||||||
|
tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
|
||||||
|
# Only allow 1 connections per IP opened
|
||||||
|
tcp-request connection reject if { src_conn_cur ge 1 }
|
||||||
|
# Only allow 1 connections per 60s
|
||||||
|
tcp-request connection reject if { src_conn_rate ge 3 }
|
||||||
|
tcp-request connection track-sc1 src
|
||||||
|
|
||||||
|
backend be-clrg-emsi
|
||||||
|
balance roundrobin
|
||||||
|
server clrghouz clrghouz-web-1:60179 send-proxy-v2
|
||||||
|
|
||||||
|
# BINKP
|
||||||
|
frontend fe-clrg-binkp
|
||||||
|
bind :::24554 v4v6
|
||||||
|
default_backend be-clrg-binkp
|
||||||
|
maxconn 10
|
||||||
|
|
||||||
|
stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)
|
||||||
|
|
||||||
|
## Allow clean known IPs to bypass the filter
|
||||||
|
tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
|
||||||
|
# Only allow 1 connections per IP opened
|
||||||
|
tcp-request connection reject if { src_conn_cur ge 1 }
|
||||||
|
# Only allow 1 connections per 60s
|
||||||
|
tcp-request connection reject if { src_conn_rate ge 3 }
|
||||||
|
tcp-request connection track-sc1 src
|
||||||
|
|
||||||
|
# BINKPS
|
||||||
|
frontend fe-clrg-binkps
|
||||||
|
bind :::24553 v4v6 tfo ssl crt /usr/local/etc/haproxy/config/binkps.pem
|
||||||
|
default_backend be-clrg-binkp
|
||||||
|
maxconn 10
|
||||||
|
|
||||||
|
backend be-clrg-binkp
|
||||||
|
balance roundrobin
|
||||||
|
server clrghouz clrghouz-web-1:24554 send-proxy-v2
|
||||||
|
```
|
||||||
|
|
||||||
|
This is `20-https.cfg`
|
||||||
|
```cfg
|
||||||
|
frontend fe-http
|
||||||
|
mode http
|
||||||
|
bind :::80
|
||||||
|
bind :::443 ssl crt-list /usr/local/etc/haproxy/config/crt-list.conf
|
||||||
|
http-request add-header X-Forwarded-Proto https
|
||||||
|
http-request redirect scheme https unless { ssl_fc }
|
||||||
|
use_backend be-http-clrghouz if { ssl_fc_sni -i clrghouz.bbs.dege.au }
|
||||||
|
# default_backend be-http-docker
|
||||||
|
|
||||||
|
backend be-http-clrghouz
|
||||||
|
mode http
|
||||||
|
balance leastconn
|
||||||
|
server clrghouz clrghouz-web-1:80
|
||||||
|
|
||||||
|
#backend be-http-docker
|
||||||
|
# mode http
|
||||||
|
# balance leastconn
|
||||||
|
# server docker [YOUR WEBSERVER]:80
|
||||||
|
```
|
||||||
|
|
||||||
|
This is `binkps.pem`:
|
||||||
|
```ssl
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEKjCCAxKgAwIBAgIJALsoV61BAIR7MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
|
||||||
|
BAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UE
|
||||||
|
ChMEQUNNRTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTgw
|
||||||
|
NjE5MjAxNTE5WhcNMjgwNjE2MjAxNTE5WjBgMQswCQYDVQQGEwJBVTEMMAoGA1UE
|
||||||
|
CBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNVBAoTBEFDTUUxDDAKBgNV
|
||||||
|
BAsTA1dlYjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
|
||||||
|
AQ8AMIIBCgKCAQEAv0hEQONbM1iz6nwTWwFuByY0sBK8hXlgyOTJftnQr+ffhKXn
|
||||||
|
f30WovFmy1FBTUDa42T5Fsa6aihw+QAuLFtnMogZRIqp8Ow9ovGLv7Wo6KRoQ6Db
|
||||||
|
JJ0FofUBiMVQy79/alUlgEYwuPlgjWwl7+pPZobXjaytAfK7WcGxMKiy6cBpFHMD
|
||||||
|
LOGNsnjSyFDZtRSMyOd07SZDhS1J5IV25v76URsyYQU+kriqZK8AkC2emz/hkcVF
|
||||||
|
10nlli2R6JsidiwN4JAPG1zKA3p0Ki0R6uG//1dQ9MuCIiCZkJklmg3ZmhjpBCY0
|
||||||
|
n+nB+F3XSDsyYR7MWZvfRHyx3w/WVpGdVymmrwIDAQABo4HmMIHjMBEGCWCGSAGG
|
||||||
|
+EIBAQQEAwIGQDAdBgNVHQ4EFgQUV31E9ULcEQkSmlgq1uQ0WiyR/DswgZIGA1Ud
|
||||||
|
IwSBijCBh4AUV31E9ULcEQkSmlgq1uQ0WiyR/DuhZKRiMGAxCzAJBgNVBAYTAkFV
|
||||||
|
MQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMEQUNN
|
||||||
|
RTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3SCCQC7KFetQQCEezAa
|
||||||
|
BgNVHREEEzARhwR/AAABgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAAZL
|
||||||
|
WWeY7sbVX6noNjiQWe9jzBKG994f5/Q5dpqT6ZHpLsSU2AQ85QfUXma3rAPwSj0+
|
||||||
|
C4V7IRlrwlFXXqe8LxWxEJo0DlHOqDZTxQpHvmwATRxTBHDOS4kMjbj5oAwq0yXz
|
||||||
|
dNxxOI5Pv9j6VIMMIgW6dFnh/GRG5w5lndtWisCU8ydG/PkeMkvi3OTQDTq64qgp
|
||||||
|
lt0OTDkTyoWmpq46k3NDR2n6ar7DwEmamMWPkR9rNLjOde2AlKMuNZ4wUMVAYasr
|
||||||
|
xDMmMCe/matHd6Ry2kvBkBRFkFaJyR2+D2vpYSbT8fSFOKv6w+5qJI8pOQ1Yn+Di
|
||||||
|
3+EttBcVhrZfxoL8jYw=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/SERA41szWLPq
|
||||||
|
fBNbAW4HJjSwEryFeWDI5Ml+2dCv59+Eped/fRai8WbLUUFNQNrjZPkWxrpqKHD5
|
||||||
|
AC4sW2cyiBlEiqnw7D2i8Yu/tajopGhDoNsknQWh9QGIxVDLv39qVSWARjC4+WCN
|
||||||
|
bCXv6k9mhteNrK0B8rtZwbEwqLLpwGkUcwMs4Y2yeNLIUNm1FIzI53TtJkOFLUnk
|
||||||
|
hXbm/vpRGzJhBT6SuKpkrwCQLZ6bP+GRxUXXSeWWLZHomyJ2LA3gkA8bXMoDenQq
|
||||||
|
LRHq4b//V1D0y4IiIJmQmSWaDdmaGOkEJjSf6cH4XddIOzJhHsxZm99EfLHfD9ZW
|
||||||
|
kZ1XKaavAgMBAAECggEAaJje4dCxZVGDCJ0ShHgyr2wf8Yw9VIt79j7NRDVdXWNh
|
||||||
|
IYsLHPbM8wsoV9O17sWhLClh4CeJdlVo+XA0z4Kn2sT7dDSTGzBDwB9veMSgeZ61
|
||||||
|
eQ2z58CJfPeaAC1NsiykQwQOfqdjKzMKrirOT/QDuR/RLSKYdHFEK5+0AdSuCQ2A
|
||||||
|
PV68FX6BnKfR/LDt6auN43ISdrnXRFna5Helyel2l3Jv/ooz9FeeTbXUa9cQcrXM
|
||||||
|
tMvd8GMr4oLnhKROcec0bTOy/3ZymbEvjjQvgxukivLLOUbQiwp2lfQWcFna4cOL
|
||||||
|
apGeameOHQceF4iIibnbDo073jS3m02WBH0ScRsj2QKBgQDxRWZWSGuJkFQOoW/b
|
||||||
|
uuwu26RAFdXLsxr2G9XMIZR+rpmhq5EoM4CL/YI5syChgYgxAj8UfwYg93wuGkN8
|
||||||
|
5VPhuytH5MIDsXq9Ci2b+WQrF5sxDK3MA3FieFZByVX80JNXtVUudzqQ6wJ1OEsY
|
||||||
|
wB+h2Uu9zssNZVugPh3wb5BsLQKBgQDK9aN97C3JtLW+xOoEYW1iCputwoDWIIqk
|
||||||
|
i6fi0mTQiQ+YbliaXWS/F7tJrUHvFFgJLZcpDKaEaN5WFjFHU+1zUDtotEiJ7bTQ
|
||||||
|
fuoyWY/8VpWn6RKwukL+mfIm2n7ZT6FC8YBU6lRPEmuGwrvuUstmIcKaAJ2bPvRt
|
||||||
|
vhRRY3u7ywKBgDIjPOADTq2Ym48qxyb/UiNuq1RR9UrOXnT0VdqEw+oLeIubLqAP
|
||||||
|
C9CLjutUqRxG4bllgRxORUTGiTy/YnTq5yKKlbTr+dFwqVPtcIrwKXu2/R4VR2yU
|
||||||
|
7pQK88naAA94fJYGbbwpNLd2ztzzJM/w5OHqWQ4JkjKndIH5Rpl3ZajFAoGABWqa
|
||||||
|
y2CDNE/bTdUJfcZv2d74mqGHOK+zo4KKn3YH9LzDqsi/GpeFecgTWnsCOHQtiUkr
|
||||||
|
MJBC3WPDEz8SX5nwy1QH0dqF2RB789h/PYrAWfahldKVihveb9cB7GGGYxxJ7HRv
|
||||||
|
fVSnnVibgAQwacLR5M7f16ZOjncWpNsexbFG+xMCgYEAj1V64k9Lz554EDCNZMQS
|
||||||
|
mzgqYg6ck+GYL/W6hdE/N3zc+KJKF4ztM/c987BbFgpJQp+uYF43jRmOcv1Oab43
|
||||||
|
mpuvZ2rDSPqrqM+fdHIx2oLPNBdBc9abTX7sQtK4WSTp16gs+MqfMWRklxWsMwWE
|
||||||
|
fO6SmAU27aAzfOccuvx3glQ=
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
```
|
||||||
|
|
||||||
|
This is `crt-list.cfg`
|
||||||
|
```cfg
|
||||||
|
/usr/local/etc/haproxy/ssl/cert.pem *.[YOUR DOMAIN]
|
||||||
|
```
|
||||||
|
|
||||||
|
This is `whitelist.cfg`
|
||||||
|
```cfg
|
||||||
|
#[IP6_PREFIX]::/MASK
|
||||||
|
```
|
Loading…
Reference in New Issue
Block a user