72 lines
2.7 KiB
INI
72 lines
2.7 KiB
INI
global
|
|
log /dev/log local0
|
|
log /dev/log local1 notice
|
|
chroot /var/lib/haproxy
|
|
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
tune.ssl.cachesize 1000000
|
|
ssl-dh-param-file /etc/haproxy/dhparam.pem
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
frontend Statistiken
|
|
bind *:8443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
|
|
mode http
|
|
option httplog
|
|
maxconn 5
|
|
stats enable
|
|
stats show-legends
|
|
stats hide-version
|
|
stats refresh 60s
|
|
stats show-node
|
|
stats uri /
|
|
|
|
frontend NEXTCLOUD
|
|
mode http
|
|
bind :80
|
|
bind :443 ssl crt /etc/haproxy/server.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
|
|
acl url_discovery path /.well-known/caldav /.well-known/carddav
|
|
http-request redirect location /remote.php/dav/ code 301 if url_discovery
|
|
redirect scheme https code 301 if !{ ssl_fc }
|
|
http-response set-header Strict-Transport-Security max-age=63072000
|
|
acl is_certbot path_beg /.well-known/acme-challenge/
|
|
use_backend LetsEncrypt if is_certbot
|
|
default_backend NEXTCLOUD
|
|
|
|
backend NEXTCLOUD
|
|
mode http
|
|
fullconn 20000
|
|
balance leastconn
|
|
stick-table type ip size 128m expire 2h
|
|
stick on src
|
|
option forwardfor
|
|
option httpchk GET /login
|
|
http-check expect rstatus [2-3][0-9][0-9]
|
|
server NC1 192.168.2.206:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check ssl verify none ca-file /etc/haproxy/server.pem on-marked-down shutdown-sessions maxconn 10000
|
|
server NC2 192.168.2.207:443 weight 1 inter 5s downinter 20s rise 4 fall 2 check ssl verify none ca-file /etc/haproxy/server.pem on-marked-down shutdown-sessions maxconn 10000
|
|
|
|
backend LetsEncrypt
|
|
mode http
|
|
server certbot 127.0.0.1:9080
|