From 02238def149181613930a82dca2f7b0a7bee2147 Mon Sep 17 00:00:00 2001 From: hhftechnologies Date: Mon, 21 Oct 2024 12:28:40 +0530 Subject: [PATCH] update --- Layer4/haproxy.cfg | 78 ++++++++++++++ Layer4/nextcloud.conf | 121 ++++++++++++++++++++++ Layer4/nginx.conf | 44 ++++++++ Layer4or6/http/haproxy.cfg | 72 +++++++++++++ Layer4or6/tcp-ssl-passthrough/haproxy.cfg | 71 +++++++++++++ Layer4or6/tcp/haproxy.cfg | 64 ++++++++++++ 6 files changed, 450 insertions(+) create mode 100644 Layer4/haproxy.cfg create mode 100644 Layer4/nextcloud.conf create mode 100644 Layer4/nginx.conf create mode 100644 Layer4or6/http/haproxy.cfg create mode 100644 Layer4or6/tcp-ssl-passthrough/haproxy.cfg create mode 100644 Layer4or6/tcp/haproxy.cfg diff --git a/Layer4/haproxy.cfg b/Layer4/haproxy.cfg new file mode 100644 index 0000000..bbde310 --- /dev/null +++ b/Layer4/haproxy.cfg @@ -0,0 +1,78 @@ +global + # HAProxy Layer 4 / TCP-Mode + # LoadBalancing by SNI + # SSL Termination at the BACKEND-site + # requesters ip's are forwarded by "send-proxy-v2" + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + tune.ssl.cachesize 1000000 + # to create run: "openssl dhparam -dsaparam -out /etc/haproxy/dhparam.pem 4096" + ssl-dh-param-file /etc/haproxy/dhparam.pem + +defaults + log global + mode tcp + log global + option tcplog + option dontlognull + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend NEXTCLOUD + bind *:443 + maxconn 20400 + mode tcp + option tcplog + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + ################################################################## + acl ACL_NEXTCLOUD req.ssl_sni -i nextcloud.hhf.technology + use_backend BACKEND_NEXTCLOUD if ACL_NEXTCLOUD + ################################################################## + acl ACL_TESTCLOUD req.ssl_sni -i testcloud.hhf.technology + use_backend BACKEND_TESTCLOUD if ACL_TESTCLOUD + ################################################################## + default_backend BACKEND_NEXTCLOUD + ################################################################## + +backend BACKEND_NEXTCLOUD + mode tcp + fullconn 20000 + balance leastconn + stick-table type ip size 100m expire 12h + stick on src + option httpchk GET /login + http-check expect rstatus [2-3][0-9][0-9] + server NC1 192.168.2.101:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 10000 send-proxy-v2 + server NC2 192.168.2.102:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 10000 send-proxy-v2 + +backend BACKEND_TESTCLOUD + mode tcp + fullconn 400 + balance leastconn + stick-table type ip size 100m expire 2h + stick on src + option httpchk GET /login + http-check expect rstatus [2-3][0-9][0-9] + server NC1 192.168.2.101:8443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 200 send-proxy-v2 + server NC2 192.168.2.102:8443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 200 send-proxy-v2 \ No newline at end of file diff --git a/Layer4/nextcloud.conf b/Layer4/nextcloud.conf new file mode 100644 index 0000000..6a4975e --- /dev/null +++ b/Layer4/nextcloud.conf @@ -0,0 +1,121 @@ +upstream php-handler { +server unix:/run/php/php8.1-fpm.sock; +} + +map $arg_v $asset_immutable { +"" ""; +default "immutable"; +} + +server { +listen 80 default_server; +listen [::]:80 default_server; +server_name nextcloud.hhf.technology; +root /var/www; +location ^~ /.well-known/acme-challenge { +default_type text/plain; +root /var/www/letsencrypt; +} +location / { +return 301 https://$host$request_uri; +} +} + +server { +listen 443 ssl http2 proxy_protocol; +listen [::]:443 ssl http2 proxy_protocol; +server_name nextcloud.hhf.technology; +ssl_certificate /ssl/ecc-certs/fullchain.pem; +ssl_certificate_key /ssl/ecc-certs/privkey.pem; +ssl_trusted_certificate /ssl/ecc-certs/chain.pem; +ssl_dhparam /etc/ssl/certs/dhparam.pem; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_protocols TLSv1.3 TLSv1.2; +ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384'; +ssl_ecdh_curve X448:secp521r1:secp384r1; +ssl_prefer_server_ciphers on; +ssl_stapling on; +ssl_stapling_verify on; +client_max_body_size 10G; +client_body_timeout 3600s; +client_body_buffer_size 512k; +fastcgi_buffers 64 4K; +gzip on; +gzip_vary on; +gzip_comp_level 4; +gzip_min_length 256; +gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; +gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; +add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; +add_header Permissions-Policy "interest-cohort=()"; +add_header Referrer-Policy "no-referrer" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Download-Options "noopen" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "none" always; +add_header X-XSS-Protection "1; mode=block" always; +fastcgi_hide_header X-Powered-By; +root /var/www/nextcloud; +index index.php index.html /index.php$request_uri; +location = / { +if ( $http_user_agent ~ ^DavClnt ) { +return 302 /remote.php/webdav/$is_args$args; +} +} +location = /robots.txt { +allow all; +log_not_found off; +access_log off; +} +location ^~ /.well-known { +location = /.well-known/carddav { return 301 /remote.php/dav/; } +location = /.well-known/caldav { return 301 /remote.php/dav/; } +location /.well-known/acme-challenge { try_files $uri $uri/ =404; } +location /.well-known/pki-validation { try_files $uri $uri/ =404; } +return 301 /index.php$request_uri; +} +location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } +location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } +location ~ \.php(?:$|/) { +rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; +fastcgi_split_path_info ^(.+?\.php)(/.*)$; +set $path_info $fastcgi_path_info; +try_files $fastcgi_script_name =404; +include fastcgi_params; +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param PATH_INFO $path_info; +fastcgi_param HTTPS on; +fastcgi_param modHeadersAvailable true; +fastcgi_param front_controller_active true; +fastcgi_pass php-handler; +fastcgi_intercept_errors on; +fastcgi_request_buffering off; +fastcgi_read_timeout 3600; +fastcgi_send_timeout 3600; +fastcgi_connect_timeout 3600; +fastcgi_max_temp_file_size 0; +} +location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ { +try_files $uri /index.php$request_uri; +add_header Cache-Control "public, max-age=15778463, $asset_immutable"; +expires 6M; +access_log off; +location ~ \.wasm$ { +default_type application/wasm; +} +} +location ~ \.woff2?$ { +try_files $uri /index.php$request_uri; +expires 7d; +access_log off; +} +location /remote { +return 301 /remote.php$request_uri; +} +location / { +try_files $uri $uri/ /index.php$request_uri; +} +} diff --git a/Layer4/nginx.conf b/Layer4/nginx.conf new file mode 100644 index 0000000..b66f50a --- /dev/null +++ b/Layer4/nginx.conf @@ -0,0 +1,44 @@ +user www-data; +worker_processes auto; +pid /var/run/nginx.pid; +events { + worker_connections 2048; + multi_accept on; use epoll; + } +http { + log_format criegerde escape=json + '{' + '"time_local":"$time_local",' + '"remote_addr":"$remote_addr",' + '"remote_user":"$remote_user",' + '"request":"$request",' + '"status": "$status",' + '"body_bytes_sent":"$body_bytes_sent",' + '"request_time":"$request_time",' + '"http_referrer":"$http_referer",' + '"http_user_agent":"$http_user_agent"' + '}'; + server_names_hash_bucket_size 64; + access_log /var/log/nginx/access.log criegerde; + error_log /var/log/nginx/error.log warn; + # replace 192.168.2.254 with the ip of HAProxy or Failover-IP + set_real_ip_from 192.168.2.254; + real_ip_header proxy_protocol; + real_ip_recursive on; + include /etc/nginx/mime.types; + default_type application/octet-stream; + sendfile on; + send_timeout 3600; + tcp_nopush on; + tcp_nodelay on; + open_file_cache max=500 inactive=10m; + open_file_cache_errors on; + keepalive_timeout 65; + reset_timedout_connection on; + server_tokens off; + # replace 127.0.0.53 with the ip of your DNS resolver + resolver 127.0.0.53 valid=30s; + resolver_timeout 5s; + include /etc/nginx/conf.d/*.conf; + } +# Carsten Rieger IT-Services, https://www.c-rieger.de \ No newline at end of file diff --git a/Layer4or6/http/haproxy.cfg b/Layer4or6/http/haproxy.cfg new file mode 100644 index 0000000..fa60d7c --- /dev/null +++ b/Layer4or6/http/haproxy.cfg @@ -0,0 +1,72 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + tune.ssl.cachesize 1000000 + ssl-dh-param-file /etc/haproxy/dhparam.pem + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend Statistiken + bind *:8443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 + mode http + option httplog + maxconn 5 + stats enable + stats show-legends + stats hide-version + stats refresh 60s + stats show-node + stats uri / + +frontend NEXTCLOUD + mode http + bind :80 + bind :443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 + acl url_discovery path /.well-known/caldav /.well-known/carddav + http-request redirect location /remote.php/dav/ code 301 if url_discovery + redirect scheme https code 301 if !{ ssl_fc } + http-response set-header Strict-Transport-Security max-age=63072000 + acl is_certbot path_beg /.well-known/acme-challenge/ + use_backend LetsEncrypt if is_certbot + default_backend NEXTCLOUD + +backend NEXTCLOUD + mode http + fullconn 20000 + balance leastconn + stick-table type ip size 128m expire 2h + stick on src + option forwardfor + option httpchk GET /login + http-check expect rstatus [2-3][0-9][0-9] + server NC1 192.168.2.206:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check ssl verify none ca-file /etc/haproxy/server.pem on-marked-down shutdown-sessions maxconn 10000 + server NC2 192.168.2.207:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check ssl verify none ca-file /etc/haproxy/server.pem on-marked-down shutdown-sessions maxconn 10000 + +backend LetsEncrypt + mode http + server certbot 127.0.0.1:9080 diff --git a/Layer4or6/tcp-ssl-passthrough/haproxy.cfg b/Layer4or6/tcp-ssl-passthrough/haproxy.cfg new file mode 100644 index 0000000..c13fee3 --- /dev/null +++ b/Layer4or6/tcp-ssl-passthrough/haproxy.cfg @@ -0,0 +1,71 @@ +global + log /dev/loglocal0 + log /dev/loglocal1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + +defaults + log global + modetcp + option tcplog + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend proxy + bind *:443 + mode tcp + option tcplog + maxconn 10000 + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + acl Nextcloud req_ssl_sni -i nextcloud.hhf.technology + acl BigBlueButton req_ssl_sni -i bbb.domain.de.de + use_backend Nextcloud if Nextcloud + use_backend BigBlueButton if BigBlueButton + +backend Nextcloud + mode tcp + fullconn 5000 + balance source + stick-table type binary len 32 size 1m expire 600m + acl clienthello req_ssl_hello_type 1 + acl serverhello rep_ssl_hello_type 2 + tcp-request inspect-delay 5s + tcp-request content accept if clienthello + tcp-response content accept if serverhello + stick on payload_lv(43,1) if clienthello + stick store-response payload_lv(43,1) if serverhello + option ssl-hello-chk + server Nextcloud 192.168.2.206:443 check maxconn 5000 + +backend BigBlueButton + mode tcp + fullconn 5000 + balance source + stick-table type binary len 32 size 1m expire 600m + acl clienthello req_ssl_hello_type 1 + acl serverhello rep_ssl_hello_type 2 + tcp-request inspect-delay 5s + tcp-request content accept if clienthello + tcp-response content accept if serverhello + stick on payload_lv(43,1) if clienthello + stick store-response payload_lv(43,1) if serverhello + option ssl-hello-chk + server BigBlueButton 192.168.2.234:443 check maxconn 5000 diff --git a/Layer4or6/tcp/haproxy.cfg b/Layer4or6/tcp/haproxy.cfg new file mode 100644 index 0000000..81baad0 --- /dev/null +++ b/Layer4or6/tcp/haproxy.cfg @@ -0,0 +1,64 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + tune.ssl.cachesize 1000000 + ssl-dh-param-file /etc/haproxy/dhparam.pem + +defaults + log global + mode tcp + option tcplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend Statistiken + bind *:8443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 + mode http + option httplog + maxconn 5 + stats enable + stats show-legends + stats hide-version + stats refresh 60s + stats show-node + stats uri / + +frontend NEXTCLOUD + bind *:443 + maxconn 20000 + mode tcp + option tcplog + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + default_backend NEXTCLOUD + +backend NEXTCLOUD + mode tcp + fullconn 20000 + balance leastconn + stick-table type ip size 100m expire 2h + stick on src + option httpchk GET /login + http-check expect rstatus [2-3][0-9][0-9] + server server1 192.168.2.206:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 10000 + server server2 192.168.2.207:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check check-ssl verify none on-marked-down shutdown-sessions maxconn 10000 \ No newline at end of file