fraenki · January 25, 2017 15:45
diff --git a/haproxy.cfg b/haproxy.cfg
 global
    #debug
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    pidfile /var/run/haproxy.pid

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    ssl-default-bind-options   no-sslv3 no-tls-tickets force-tlsv12
    ssl-default-bind-ciphers   ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

    spread-checks 4
    tune.maxrewrite 1024
    tune.ssl.default-dh-param 2048

 defaults
    mode    http
    balance roundrobin

    option  dontlognull
    option  dontlog-normal
    option  redispatch

    maxconn 5000
    timeout connect 5s
    timeout client  20s
    timeout server  20s
    timeout queue   30s
    timeout http-request 5s
    timeout http-keep-alive 15s

 frontend http-in
    bind *:80

    stats enable
    stats refresh 30s
    #stats hide-version
    stats realm Strictly\ Private
    stats auth admin:admin
    stats uri /admin?stats

    default_backend nodes-http

 frontend https-in
    mode tcp
    bind *:443 ssl crt /etc/ssl/dummy.pem alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
    use_backend nodes-http2 if { ssl_fc_alpn -i h2 }
    default_backend nodes-http

 backend nodes-http
    server node1 web.server:80 check

 backend nodes-http2
    mode tcp
    http-request add-header X-Forwarded-Proto https
    server node1 web.server:81 check send-proxy
	global
	#debug
	chroot /var/lib/haproxy
	user haproxy
	group haproxy
	pidfile /var/run/haproxy.pid

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

	spread-checks 4
	tune.maxrewrite 1024
	tune.ssl.default-dh-param 2048

	defaults
	mode http
	balance roundrobin

	option dontlognull
	option dontlog-normal
	option redispatch

	maxconn 5000
	timeout connect 5s
	timeout client 20s
	timeout server 20s
	timeout queue 30s
	timeout http-request 5s
	timeout http-keep-alive 15s

	frontend http-in
	bind *:80

	stats enable
	stats refresh 30s
	#stats hide-version
	stats realm Strictly\ Private
	stats auth admin:admin
	stats uri /admin?stats

	default_backend nodes-http

	frontend https-in
	mode tcp
	bind *:443 ssl crt /etc/ssl/dummy.pem alpn h2,http/1.1
	http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
	use_backend nodes-http2 if { ssl_fc_alpn -i h2 }
	default_backend nodes-http

	backend nodes-http
	server node1 web.server:80 check

	backend nodes-http2
	mode tcp
	http-request add-header X-Forwarded-Proto https
	server node1 web.server:81 check send-proxy