update

Layer4/haproxy.cfg

@@ -0,0 +1,78 @@
+global
+        # HAProxy Layer 4 / TCP-Mode
+        # LoadBalancing by SNI
+        # SSL Termination at the BACKEND-site
+        # requesters ip's are forwarded by "send-proxy-v2"
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+        tune.ssl.cachesize 1000000
+        # to create run: "openssl dhparam -dsaparam -out /etc/haproxy/dhparam.pem 4096"
+        ssl-dh-param-file /etc/haproxy/dhparam.pem
+
+defaults
+        log     global
+        mode    tcp
+        log     global
+        option  tcplog
+        option  dontlognull
+        option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+frontend NEXTCLOUD
+        bind *:443
+        maxconn 20400
+        mode tcp
+        option tcplog
+        tcp-request inspect-delay 5s
+        tcp-request content accept if { req_ssl_hello_type 1 }
+	##################################################################
+	acl ACL_NEXTCLOUD req.ssl_sni -i nextcloud.hhf.technology
+        use_backend BACKEND_NEXTCLOUD if ACL_NEXTCLOUD
+        ##################################################################
+	acl ACL_TESTCLOUD req.ssl_sni -i testcloud.hhf.technology
+	use_backend BACKEND_TESTCLOUD if ACL_TESTCLOUD
+        ##################################################################        
+        default_backend BACKEND_NEXTCLOUD
+	##################################################################
+
+backend BACKEND_NEXTCLOUD
+        mode tcp
+        fullconn 20000
+        balance leastconn
+        stick-table type ip size 100m expire 12h
+        stick on src
+        option httpchk GET /login
+        http-check expect rstatus [2-3][0-9][0-9]
+        server NC1 192.168.2.101:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 10000 send-proxy-v2
+        server NC2 192.168.2.102:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 10000 send-proxy-v2
+
+backend BACKEND_TESTCLOUD
+        mode tcp
+        fullconn 400
+        balance leastconn
+        stick-table type ip size 100m expire 2h
+        stick on src
+        option httpchk GET /login
+        http-check expect rstatus [2-3][0-9][0-9]
+        server NC1 192.168.2.101:8443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 200 send-proxy-v2
+        server NC2 192.168.2.102:8443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 200 send-proxy-v2

Layer4/nextcloud.conf

@@ -0,0 +1,121 @@
+upstream php-handler {
+server unix:/run/php/php8.1-fpm.sock;
+}
+
+map $arg_v $asset_immutable {
+"" "";
+default "immutable";
+}
+
+server {
+listen 80 default_server;
+listen [::]:80 default_server;
+server_name nextcloud.hhf.technology;
+root /var/www;
+location ^~ /.well-known/acme-challenge {
+default_type text/plain;
+root /var/www/letsencrypt;
+}
+location / {
+return 301 https://$host$request_uri;
+}
+}
+
+server {
+listen 443      ssl http2 proxy_protocol;
+listen [::]:443 ssl http2 proxy_protocol;
+server_name nextcloud.hhf.technology;
+ssl_certificate /ssl/ecc-certs/fullchain.pem;
+ssl_certificate_key /ssl/ecc-certs/privkey.pem;
+ssl_trusted_certificate /ssl/ecc-certs/chain.pem;
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
+ssl_ecdh_curve X448:secp521r1:secp384r1;
+ssl_prefer_server_ciphers on;
+ssl_stapling on;
+ssl_stapling_verify on;
+client_max_body_size 10G;
+client_body_timeout 3600s;
+client_body_buffer_size 512k;
+fastcgi_buffers 64 4K;
+gzip on;
+gzip_vary on;
+gzip_comp_level 4;
+gzip_min_length 256;
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
+add_header Permissions-Policy                   "interest-cohort=()";
+add_header Referrer-Policy                      "no-referrer"   always;
+add_header X-Content-Type-Options               "nosniff"       always;
+add_header X-Download-Options                   "noopen"        always;
+add_header X-Frame-Options                      "SAMEORIGIN"    always;
+add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+add_header X-Robots-Tag                         "none"          always;
+add_header X-XSS-Protection                     "1; mode=block" always;
+fastcgi_hide_header X-Powered-By;
+root /var/www/nextcloud;
+index index.php index.html /index.php$request_uri;
+location = / {
+if ( $http_user_agent ~ ^DavClnt ) {
+return 302 /remote.php/webdav/$is_args$args;
+}
+}
+location = /robots.txt {
+allow all;
+log_not_found off;
+access_log off;
+}
+location ^~ /.well-known {
+location = /.well-known/carddav { return 301 /remote.php/dav/; }
+location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
+location /.well-known/pki-validation { try_files $uri $uri/ =404; }
+return 301 /index.php$request_uri;
+}
+location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+location ~ \.php(?:$|/) {
+rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+set $path_info $fastcgi_path_info;
+try_files $fastcgi_script_name =404;
+include fastcgi_params;
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param PATH_INFO $path_info;
+fastcgi_param HTTPS on;
+fastcgi_param modHeadersAvailable true;
+fastcgi_param front_controller_active true;
+fastcgi_pass php-handler;
+fastcgi_intercept_errors on;
+fastcgi_request_buffering off;
+fastcgi_read_timeout 3600;
+fastcgi_send_timeout 3600;
+fastcgi_connect_timeout 3600;
+fastcgi_max_temp_file_size 0;
+}
+location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
+try_files $uri /index.php$request_uri;
+add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+expires 6M;
+access_log off;
+location ~ \.wasm$ {
+default_type application/wasm;
+}
+}
+location ~ \.woff2?$ {
+try_files $uri /index.php$request_uri;
+expires 7d;
+access_log off;
+}
+location /remote {
+return 301 /remote.php$request_uri;
+}
+location / {
+try_files $uri $uri/ /index.php$request_uri;
+}
+}

Layer4/nginx.conf

@@ -0,0 +1,44 @@
+user www-data;
+worker_processes auto;
+pid /var/run/nginx.pid;
+events {
+  worker_connections 2048;
+  multi_accept on; use epoll;
+  }
+http {
+  log_format criegerde escape=json
+  '{'
+    '"time_local":"$time_local",'
+    '"remote_addr":"$remote_addr",'
+    '"remote_user":"$remote_user",'
+    '"request":"$request",'
+    '"status": "$status",'
+    '"body_bytes_sent":"$body_bytes_sent",'
+    '"request_time":"$request_time",'
+    '"http_referrer":"$http_referer",'
+    '"http_user_agent":"$http_user_agent"'
+  '}';
+  server_names_hash_bucket_size 64;
+  access_log /var/log/nginx/access.log criegerde;
+  error_log /var/log/nginx/error.log warn;
+  # replace 192.168.2.254 with the ip of HAProxy or Failover-IP
+  set_real_ip_from 192.168.2.254;
+  real_ip_header proxy_protocol;
+  real_ip_recursive on;
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+  sendfile on;
+  send_timeout 3600;
+  tcp_nopush on;
+  tcp_nodelay on;
+  open_file_cache max=500 inactive=10m;
+  open_file_cache_errors on;
+  keepalive_timeout 65;
+  reset_timedout_connection on;
+  server_tokens off;
+  # replace 127.0.0.53 with the ip of your DNS resolver
+  resolver 127.0.0.53 valid=30s;
+  resolver_timeout 5s;
+  include /etc/nginx/conf.d/*.conf;
+  }
+# Carsten Rieger IT-Services, https://www.c-rieger.de

Layer4or6/http/haproxy.cfg

@@ -0,0 +1,72 @@
+global
+    log /dev/log    local0
+    log /dev/log    local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+    tune.ssl.cachesize 1000000
+    ssl-dh-param-file /etc/haproxy/dhparam.pem
+
+defaults
+    log	global
+    mode	http
+    option	httplog
+    option	dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+frontend Statistiken
+    bind   *:8443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
+    mode   http
+    option httplog
+    maxconn 5
+    stats enable
+    stats show-legends
+    stats hide-version
+    stats refresh 60s
+    stats show-node
+    stats uri /
+
+frontend NEXTCLOUD
+    mode    http
+    bind    :80
+    bind    :443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
+    acl url_discovery path /.well-known/caldav /.well-known/carddav
+    http-request redirect location /remote.php/dav/ code 301 if url_discovery
+    redirect scheme https code 301 if !{ ssl_fc }
+    http-response set-header Strict-Transport-Security max-age=63072000
+    acl is_certbot path_beg /.well-known/acme-challenge/
+    use_backend LetsEncrypt if is_certbot    
+    default_backend NEXTCLOUD
+
+backend NEXTCLOUD
+    mode http
+    fullconn 20000
+    balance leastconn
+    stick-table type ip size 128m expire 2h
+    stick on src
+    option forwardfor
+    option httpchk GET /login
+    http-check expect rstatus [2-3][0-9][0-9]
+    server NC1 192.168.2.206:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check ssl verify none ca-file /etc/haproxy/server.pem on-marked-down shutdown-sessions maxconn 10000
+    server NC2 192.168.2.207:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check ssl verify none ca-file /etc/haproxy/server.pem on-marked-down shutdown-sessions maxconn 10000
+
+backend LetsEncrypt
+    mode http
+    server certbot 127.0.0.1:9080

Layer4or6/tcp-ssl-passthrough/haproxy.cfg

@@ -0,0 +1,71 @@
+global
+    log /dev/loglocal0
+    log /dev/loglocal1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+    log global
+    modetcp
+    option  tcplog
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+frontend proxy
+    bind *:443
+    mode tcp
+    option tcplog
+    maxconn 10000
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+    acl Nextcloud req_ssl_sni -i nextcloud.hhf.technology
+    acl BigBlueButton req_ssl_sni -i bbb.domain.de.de
+    use_backend Nextcloud if Nextcloud
+    use_backend BigBlueButton if BigBlueButton
+
+backend Nextcloud
+    mode tcp
+    fullconn 5000
+    balance source
+    stick-table type binary len 32 size 1m expire 600m
+    acl clienthello req_ssl_hello_type 1
+    acl serverhello rep_ssl_hello_type 2
+    tcp-request inspect-delay 5s
+    tcp-request content accept if clienthello
+    tcp-response content accept if serverhello
+    stick on payload_lv(43,1) if clienthello
+    stick store-response payload_lv(43,1) if serverhello
+    option ssl-hello-chk
+    server Nextcloud 192.168.2.206:443 check maxconn 5000
+
+backend BigBlueButton
+    mode tcp
+    fullconn 5000
+    balance source
+    stick-table type binary len 32 size 1m expire 600m
+    acl clienthello req_ssl_hello_type 1
+    acl serverhello rep_ssl_hello_type 2
+    tcp-request inspect-delay 5s
+    tcp-request content accept if clienthello
+    tcp-response content accept if serverhello
+    stick on payload_lv(43,1) if clienthello
+    stick store-response payload_lv(43,1) if serverhello
+    option ssl-hello-chk
+    server BigBlueButton 192.168.2.234:443 check maxconn 5000

Layer4or6/tcp/haproxy.cfg

@@ -0,0 +1,64 @@
+global
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+        tune.ssl.cachesize 1000000
+        ssl-dh-param-file /etc/haproxy/dhparam.pem
+
+defaults
+        log     global
+        mode    tcp
+        option  tcplog
+        option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+frontend Statistiken
+        bind   *:8443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
+        mode   http
+        option httplog
+        maxconn 5
+        stats enable
+        stats show-legends
+        stats hide-version
+        stats refresh 60s
+        stats show-node
+        stats uri /
+
+frontend NEXTCLOUD
+        bind *:443
+        maxconn 20000
+        mode tcp
+        option tcplog
+        tcp-request inspect-delay 5s
+        tcp-request content accept if { req_ssl_hello_type 1 }
+        default_backend NEXTCLOUD
+
+backend NEXTCLOUD
+        mode tcp
+        fullconn 20000
+        balance leastconn
+        stick-table type ip size 100m expire 2h
+        stick on src
+    	option httpchk GET /login
+        http-check expect rstatus [2-3][0-9][0-9]
+        server server1 192.168.2.206:443  weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 10000
+        server server2 192.168.2.207:443  weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 10000