global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /var/lib/haproxy/stats stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets tune.ssl.default-dh-param 2048 tune.h2.initial-window-size 1048576 defaults log global mode http option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 {% if ansible_os_family == 'Debian' %} errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http {% endif %} listen stats bind *:9999 stats enable stats refresh 30s stats show-node stats uri /stats ################################## Frontend ################################## frontend ssh-in mode tcp option tcplog bind {{ haproxy_shared_ip }}:22 timeout client 0ms tcp-request inspect-delay 5s acl valid_payload req.payload(0,7) -m str "SSH-2.0" tcp-request content reject if !valid_payload tcp-request content accept if { req_ssl_hello_type 1 } use_backend example-ssh-backend frontend http-in bind {{ haproxy_shared_ip }}:80 mode http option httplog # Redirect all urls to not use www http-request redirect prefix http://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. } # Redirect if HTTPS is not used and not an acme challenge redirect scheme https code 301 if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge } # Use mapping file to match domain names to req.hdr(host) that are doing a let's encrypt validation use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/maps/example-letsencrypt.map)] if { path_beg /.well-known/acme-challenge } frontend https-passthrough-in bind {{ haproxy_shared_ip }}:443 mode tcp option tcplog tcp-request inspect-delay 1s tcp-request content accept if { req.ssl_hello_type 1 } # Use mapping file to match domain names to req.ssl_sni use_backend %[req.ssl_sni,lower,map_dom(/etc/haproxy/maps/example-passthrough.map)] # If match is not found, redirect to the tcp_to_http-backend for https-termination default_backend tcp_to_http-backend frontend https-termination-in bind 127.0.0.1:8443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 accept-proxy mode http option httplog tcp-request inspect-delay 1s tcp-request content accept if { req.ssl_hello_type 1 } # Use mapping file to match path use_backend %[path,lower,map_beg(/etc/haproxy/maps/example-path.map)] # Use mapping file to match domain names to ssl_fc_sni use_backend %[ssl_fc_sni,lower,map_dom(/etc/haproxy/maps/example-termination.map)] ################################## Backend ################################## backend tcp_to_http-backend mode tcp server haproxy 127.0.0.1:8443 send-proxy backend example-ssh-backend mode tcp timeout connect 0ms timeout server 0ms server example 10.1.25.92:22 check backend example-letsencrypt-backend mode http server example 10.1.25.92:60080 backend example-http-backend mode http server example 10.1.25.92:80 check backend example-https-passthrough-backend mode tcp server example 10.1.25.92:443 check backend example-https-termination-backend mode http server example 10.1.25.92:80 check