AMINUL ISLAM SHAMIM

User Tools

Site Tools

Trace: haproxy
haproxy

https://serversforhackers.com/c/letsencrypt-with-haproxy

https://tecadmin.net/how-to-setup-haproxy-load-balancing-on-ubuntu-linuxmint/

  • root@ecsweb:~# cat /etc/haproxy/haproxy.cfg
  • global
  • log /dev/log local0
  • log /dev/log local1 notice
  • chroot /var/lib/haproxy
  • stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  • stats timeout 30s
  • user haproxy
  • group haproxy
  • daemon
  • # Default SSL material locations
  • ca-base /etc/ssl/certs
  • crt-base /etc/ssl/private
  • # Default ciphers to use on SSL-enabled listening sockets.
  • # For more information, see ciphers(1SSL). This list is from:
  • # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  • # An alternative list with additional directives can be obtained from
  • # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
  • ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  • ssl-default-bind-options no-sslv3
  • defaults
  • log global
  • mode http
  • option httplog
  • option dontlognull
  • timeout connect 5000
  • timeout client 50000
  • timeout server 50000
  • errorfile 400 /etc/haproxy/errors/400.http
  • errorfile 403 /etc/haproxy/errors/403.http
  • errorfile 408 /etc/haproxy/errors/408.http
  • errorfile 500 /etc/haproxy/errors/500.http
  • errorfile 502 /etc/haproxy/errors/502.http
  • errorfile 503 /etc/haproxy/errors/503.http
  • errorfile 504 /etc/haproxy/errors/504.http
  • # If it detects a LetsEncrypt request, is uses the LE backend
  • frontend ft_http
  • bind :80
  • mode http
  • default_backend bk_http
  • frontend ft_https
  • bind :443
  • mode tcp
  • default_backend bk_https
  • # This is our new config that listens on port 443 for SSL connections
  • # bind *:443 ssl crt /etc/ssl/ecsweb.bdcom.com.bd/ecsweb.bdcom.com.bd.pem
  • # Redirect if HTTPS is *not* used
  • redirect scheme https code 301 if !{ ssl_fc }
  • # Test URI to see if its a letsencrypt request
  • # acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  • # use_backend letsencrypt-backend if letsencrypt-acl
  • ## default_backend be-scalinglaravel
  • ##backend be-scalinglaravel
  • ## balance roundrobin
  • option forwardfor
  • http-request set-header X-Forwarded-Port %[dst_port]
  • http-request add-header X-Forwarded-Proto https if { ssl_fc }
  • backend bk_http
  • mode http
  • balance roundrobin
  • #stick on src table bk_https
  • default-server inter 1s
  • server ecs.gov.bd ecs.gov.bd:80 check id 1
  • server ecs.bdcom.com.bd ecs.bdcom.com.bd:80 check id 2
  • #server ecsww.bdcom.com.bd ecsww.bdcom.com.bd:80 check id 3
  • #server dns2.bdcom.com dns2.bdcom.com:80 check id 3
  • backend bk_https
  • mode tcp
  • balance roundrobin
  • stick-table type ip size 200k expire 30m
  • stick on src
  • default-server inter 1s
  • # server ecsweb.bdcom.com.bd ecsweb.bdcom.com.bd:443 check ssl verify none
  • #server prohostnms.bdcom.net prohostnms.bdcom.net:443 check ssl verify none
  • # for 8181 haproxy panel
  • listen stats
  • bind *:8181
  • stats enable
  • stats uri /
  • stats realm Haproxy\ Statistics
  • stats auth admin:bdc0m987
  • #backend letsencrypt-backend
  • # server letsencrypt 127.0.0.1:8888

Haproxy ACL

haproxy.txt · Last modified: 2023/03/06 11:31 by 127.0.0.1