Skip to content

Instantly share code, notes, and snippets.

@carlchan

carlchan/haproxy.cfg

Last active October 29, 2019 10:09
Show Gist options
  • Save carlchan/75a3c8503fea68888353d7bd6acaf954 to your computer and use it in GitHub Desktop.
Save carlchan/75a3c8503fea68888353d7bd6acaf954 to your computer and use it in GitHub Desktop.
Download ZIP
HAProxy - Client SSL Auth "knocking" and automatic certbot
Raw
haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option forwardfor
option http-keep-alive
option prefer-last-server
option dontlog-normal
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-keep-alive 10s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
############
frontend http
bind *:80
acl internal src [INTERNALNETWORK]
acl internal src 127.0.0.1
acl acme-challenge path_beg /.well-known/acme-challenge/
redirect scheme https unless acme-challenge
use_backend certbot if acme-challenge
default_backend reject
listen tcp443
bind *:443
mode tcp
acl internal src [INTERNALNETWORK]
acl internal src 127.0.0.1
tcp-request inspect-delay 5s
tcp-request content reject unless { req_ssl_hello_type 1 }
use-server external unless internal
use-server internal if internal
server external abns@https-external send-proxy-v2
server internal abns@https-internal send-proxy-v2
frontend https-external
bind abns@https-external accept-proxy ssl alpn h2,http/1.1 crt-list /etc/haproxy/certs.list ca-file /etc/ssl/CA/CLIENTCERT-CA.pem verify optional
acl secured ssl_c_used ssl_c_verify 0
stick-table type ip size 32 expire 60s store gpc0
http-request track-sc0 src if secured
http-request sc-inc-gpc0 if secured
acl known_client src_get_gpc0 gt 0
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
http-response set-header Strict-Transport-Security max-age=15768000
use_backend %[hdr(host),lower,map_sub(/etc/haproxy/hostname.map,reject)] if secured
use_backend %[hdr(host),lower,map_sub(/etc/haproxy/hostname.map,reject)] if hdr_connection_upgrade hdr_upgrade_websocket known_client
default_backend reject
frontend https-internal
bind abns@https-internal accept-proxy ssl alpn h2,http/1.1 crt-list /etc/haproxy/certs.list
http-response set-header Strict-Transport-Security max-age=15768000
use_backend %[hdr(host),lower,map_sub(/etc/haproxy/hostname.map,reject)]
default_backend reject
backend certbot
server certbot 127.0.0.1:54321
backend reject
tcp-request content reject
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment