Add Haproxy Configuration

deon 2024-05-28 12:15:07 +00:00
parent 01356744f1
commit 49302b4117

182
Haproxy-Configuration.md Normal file

@ -0,0 +1,182 @@
# Setting up haproxy
We need a few configuration files for haproxy. All these files go in the haproxy directory `/srv/docker/clrghouz/haproxy`). Make adjustments as appropriate.
This is `10-default.cfg`
```cfg
global
log stdout format raw local0
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
user haproxy
group haproxy
defaults
mode tcp
timeout connect 5s
timeout client 10m
timeout server 10m
# email-alert mailers mailers
# email-alert from me@example.com
# email-alert to me@example.com
option tcplog
log global
#mailers mailers
# mailer smtp [YOUR MAIL SERVER]:25
#resolvers dns
# nameserver dns1 [YOUR DNS SERVER]:53
frontend stats
bind :::8080
mode http
stats uri /
stats enable
stats refresh 10s
```
This is `20-clrghouz.cfg`
```cfg
# EMSI
frontend fe-clrg-emsi
bind :::60179 v4v6
default_backend be-clrg-emsi
maxconn 4
# Track the backend state - and reject any attempts if its down
acl be-emsi-dead nbsrv(be-clrg-emsi) lt 1
tcp-request connection reject if be-emsi-dead
# stick table definition for storing rates
stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)
## Allow clean known IPs to bypass the filter
tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
# Only allow 1 connections per IP opened
tcp-request connection reject if { src_conn_cur ge 1 }
# Only allow 1 connections per 60s
tcp-request connection reject if { src_conn_rate ge 3 }
tcp-request connection track-sc1 src
backend be-clrg-emsi
balance roundrobin
server clrghouz clrghouz-web-1:60179 send-proxy-v2
# BINKP
frontend fe-clrg-binkp
bind :::24554 v4v6
default_backend be-clrg-binkp
maxconn 10
stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)
## Allow clean known IPs to bypass the filter
tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
# Only allow 1 connections per IP opened
tcp-request connection reject if { src_conn_cur ge 1 }
# Only allow 1 connections per 60s
tcp-request connection reject if { src_conn_rate ge 3 }
tcp-request connection track-sc1 src
# BINKPS
frontend fe-clrg-binkps
bind :::24553 v4v6 tfo ssl crt /usr/local/etc/haproxy/config/binkps.pem
default_backend be-clrg-binkp
maxconn 10
backend be-clrg-binkp
balance roundrobin
server clrghouz clrghouz-web-1:24554 send-proxy-v2
```
This is `20-https.cfg`
```cfg
frontend fe-http
mode http
bind :::80
bind :::443 ssl crt-list /usr/local/etc/haproxy/config/crt-list.conf
http-request add-header X-Forwarded-Proto https
http-request redirect scheme https unless { ssl_fc }
use_backend be-http-clrghouz if { ssl_fc_sni -i clrghouz.bbs.dege.au }
# default_backend be-http-docker
backend be-http-clrghouz
mode http
balance leastconn
server clrghouz clrghouz-web-1:80
#backend be-http-docker
# mode http
# balance leastconn
# server docker [YOUR WEBSERVER]:80
```
This is `binkps.pem`:
```ssl
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIJALsoV61BAIR7MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
BAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UE
ChMEQUNNRTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTgw
NjE5MjAxNTE5WhcNMjgwNjE2MjAxNTE5WjBgMQswCQYDVQQGEwJBVTEMMAoGA1UE
CBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNVBAoTBEFDTUUxDDAKBgNV
BAsTA1dlYjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAv0hEQONbM1iz6nwTWwFuByY0sBK8hXlgyOTJftnQr+ffhKXn
f30WovFmy1FBTUDa42T5Fsa6aihw+QAuLFtnMogZRIqp8Ow9ovGLv7Wo6KRoQ6Db
JJ0FofUBiMVQy79/alUlgEYwuPlgjWwl7+pPZobXjaytAfK7WcGxMKiy6cBpFHMD
LOGNsnjSyFDZtRSMyOd07SZDhS1J5IV25v76URsyYQU+kriqZK8AkC2emz/hkcVF
10nlli2R6JsidiwN4JAPG1zKA3p0Ki0R6uG//1dQ9MuCIiCZkJklmg3ZmhjpBCY0
n+nB+F3XSDsyYR7MWZvfRHyx3w/WVpGdVymmrwIDAQABo4HmMIHjMBEGCWCGSAGG
+EIBAQQEAwIGQDAdBgNVHQ4EFgQUV31E9ULcEQkSmlgq1uQ0WiyR/DswgZIGA1Ud
IwSBijCBh4AUV31E9ULcEQkSmlgq1uQ0WiyR/DuhZKRiMGAxCzAJBgNVBAYTAkFV
MQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMEQUNN
RTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3SCCQC7KFetQQCEezAa
BgNVHREEEzARhwR/AAABgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAAZL
WWeY7sbVX6noNjiQWe9jzBKG994f5/Q5dpqT6ZHpLsSU2AQ85QfUXma3rAPwSj0+
C4V7IRlrwlFXXqe8LxWxEJo0DlHOqDZTxQpHvmwATRxTBHDOS4kMjbj5oAwq0yXz
dNxxOI5Pv9j6VIMMIgW6dFnh/GRG5w5lndtWisCU8ydG/PkeMkvi3OTQDTq64qgp
lt0OTDkTyoWmpq46k3NDR2n6ar7DwEmamMWPkR9rNLjOde2AlKMuNZ4wUMVAYasr
xDMmMCe/matHd6Ry2kvBkBRFkFaJyR2+D2vpYSbT8fSFOKv6w+5qJI8pOQ1Yn+Di
3+EttBcVhrZfxoL8jYw=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/SERA41szWLPq
fBNbAW4HJjSwEryFeWDI5Ml+2dCv59+Eped/fRai8WbLUUFNQNrjZPkWxrpqKHD5
AC4sW2cyiBlEiqnw7D2i8Yu/tajopGhDoNsknQWh9QGIxVDLv39qVSWARjC4+WCN
bCXv6k9mhteNrK0B8rtZwbEwqLLpwGkUcwMs4Y2yeNLIUNm1FIzI53TtJkOFLUnk
hXbm/vpRGzJhBT6SuKpkrwCQLZ6bP+GRxUXXSeWWLZHomyJ2LA3gkA8bXMoDenQq
LRHq4b//V1D0y4IiIJmQmSWaDdmaGOkEJjSf6cH4XddIOzJhHsxZm99EfLHfD9ZW
kZ1XKaavAgMBAAECggEAaJje4dCxZVGDCJ0ShHgyr2wf8Yw9VIt79j7NRDVdXWNh
IYsLHPbM8wsoV9O17sWhLClh4CeJdlVo+XA0z4Kn2sT7dDSTGzBDwB9veMSgeZ61
eQ2z58CJfPeaAC1NsiykQwQOfqdjKzMKrirOT/QDuR/RLSKYdHFEK5+0AdSuCQ2A
PV68FX6BnKfR/LDt6auN43ISdrnXRFna5Helyel2l3Jv/ooz9FeeTbXUa9cQcrXM
tMvd8GMr4oLnhKROcec0bTOy/3ZymbEvjjQvgxukivLLOUbQiwp2lfQWcFna4cOL
apGeameOHQceF4iIibnbDo073jS3m02WBH0ScRsj2QKBgQDxRWZWSGuJkFQOoW/b
uuwu26RAFdXLsxr2G9XMIZR+rpmhq5EoM4CL/YI5syChgYgxAj8UfwYg93wuGkN8
5VPhuytH5MIDsXq9Ci2b+WQrF5sxDK3MA3FieFZByVX80JNXtVUudzqQ6wJ1OEsY
wB+h2Uu9zssNZVugPh3wb5BsLQKBgQDK9aN97C3JtLW+xOoEYW1iCputwoDWIIqk
i6fi0mTQiQ+YbliaXWS/F7tJrUHvFFgJLZcpDKaEaN5WFjFHU+1zUDtotEiJ7bTQ
fuoyWY/8VpWn6RKwukL+mfIm2n7ZT6FC8YBU6lRPEmuGwrvuUstmIcKaAJ2bPvRt
vhRRY3u7ywKBgDIjPOADTq2Ym48qxyb/UiNuq1RR9UrOXnT0VdqEw+oLeIubLqAP
C9CLjutUqRxG4bllgRxORUTGiTy/YnTq5yKKlbTr+dFwqVPtcIrwKXu2/R4VR2yU
7pQK88naAA94fJYGbbwpNLd2ztzzJM/w5OHqWQ4JkjKndIH5Rpl3ZajFAoGABWqa
y2CDNE/bTdUJfcZv2d74mqGHOK+zo4KKn3YH9LzDqsi/GpeFecgTWnsCOHQtiUkr
MJBC3WPDEz8SX5nwy1QH0dqF2RB789h/PYrAWfahldKVihveb9cB7GGGYxxJ7HRv
fVSnnVibgAQwacLR5M7f16ZOjncWpNsexbFG+xMCgYEAj1V64k9Lz554EDCNZMQS
mzgqYg6ck+GYL/W6hdE/N3zc+KJKF4ztM/c987BbFgpJQp+uYF43jRmOcv1Oab43
mpuvZ2rDSPqrqM+fdHIx2oLPNBdBc9abTX7sQtK4WSTp16gs+MqfMWRklxWsMwWE
fO6SmAU27aAzfOccuvx3glQ=
-----END PRIVATE KEY-----
```
This is `crt-list.cfg`
```cfg
/usr/local/etc/haproxy/ssl/cert.pem *.[YOUR DOMAIN]
```
This is `whitelist.cfg`
```cfg
#[IP6_PREFIX]::/MASK
```