Last active
November 8, 2021 16:33
-
-
Save git001/73d1b7bcc3813ba40028c887e4f3e7f6 to your computer and use it in GitHub Desktop.
haproxy setup for sni routing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#--------------------------------------------------------------------- | |
# Global settings | |
#--------------------------------------------------------------------- | |
global | |
log stdout format raw daemon debug | |
log-send-hostname cloud.DOMAIN.com | |
maxconn 5000 | |
ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets | |
tune.ssl.default-dh-param 2048 | |
#--------------------------------------------------------------------- | |
# common defaults that all the 'listen' and 'backend' sections will | |
# use if not designated in their block | |
#--------------------------------------------------------------------- | |
defaults | |
mode tcp | |
log global | |
option dontlognull | |
option logasap | |
option srvtcpka | |
option log-separate-errors | |
retries 3 | |
timeout http-request 10s | |
timeout queue 2m | |
timeout connect 10s | |
timeout client 5m | |
timeout server 5m | |
timeout http-keep-alive 10s | |
timeout check 10s | |
maxconn 750 | |
#--------------------------------------------------------------------- | |
# main frontend which proxys to the backends | |
#--------------------------------------------------------------------- | |
## | |
## Frontend for HTTP | |
## | |
frontend http-in | |
bind :::80 v4v6 | |
mode http | |
option httplog | |
# redirect http to https . | |
http-request redirect scheme https unless { ssl_fc } | |
## | |
## Frontend for HTTPS | |
## | |
frontend public_ssl | |
log global | |
option tcplog | |
bind :::443 v4v6 | |
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq ssl_fc_has_sni '%[ssl_fc_has_sni]' sni:'%[capture.req.hdr(0)]' ssl_fc_sni '%[ssl_fc_sni]' ssl_fc_protocol '%[ssl_fc_protocol]' ssl_bc '%[ssl_bc]' ssl_bc_alpn '%[ssl_bc_alpn]' ssl_bc_protocol '%[ssl_bc_protocol]' ssl_c_i_dn '%[ssl_c_i_dn()]' ssl_c_s_dn '%[ssl_c_s_dn()]' ssl_f_i_dn '%[ssl_f_i_dn()]' ssl_f_s_dn '%[ssl_f_s_dn]' ssl_fc_cipher '%[ssl_fc_cipher]' " | |
tcp-request inspect-delay 5s | |
tcp-request content capture req.ssl_sni len 25 | |
tcp-request content accept if { req.ssl_hello_type 1 } | |
# use_backend be_sni_xmpp if { req.ssl_sni -i -MyDomain.im } | |
# https://www.haproxy.com/blog/introduction-to-haproxy-maps/ | |
use_backend %[req.ssl_sni,lower,map(tcp-domain2backend-map.txt)] | |
default_backend be_sni | |
########################################################################## | |
# TLS SNI | |
# | |
# When using SNI we can terminate encryption with dedicated certificates. | |
########################################################################## | |
backend be_sni | |
server fe_sni 127.0.0.1:10444 weight 10 send-proxy-v2-ssl-cn | |
backend be_sni_xmpp | |
server fe_sn_xmpp 127.0.0.1:10442 weight 10 send-proxy-v2-ssl-cn | |
# handle https incomming | |
frontend https-in | |
# terminate ssl | |
bind 127.0.0.1:10444 accept-proxy ssl strict-sni crt /usr/local/etc/haproxy/cloud-MyDomain-com.pem crt /usr/local/etc/haproxy/dashboard-MyDomain-com.pem crt /usr/local/etc/haproxy/upload-MyDomain-com.pem crt /usr/local/etc/haproxy/-MyDomain-com.pem | |
mode http | |
option forwardfor | |
option httplog | |
# log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq ssl_fc_has_sni '%[ssl_fc_has_sni]' sni:'%[capture.req.hdr(0)]' ssl_fc_sni '%[ssl_fc_sni]' ssl_fc_protocol '%[ssl_fc_protocol]' ssl_bc '%[ssl_bc]' ssl_bc_alpn '%[ssl_bc_alpn]' ssl_bc_protocol '%[ssl_bc_protocol]' ssl_c_i_dn '%[ssl_c_i_dn()]' ssl_c_s_dn '%[ssl_c_s_dn()]' ssl_f_i_dn '%[ssl_f_i_dn()]' ssl_f_s_dn '%[ssl_f_s_dn]' ssl_fc_cipher '%[ssl_fc_cipher]' " | |
# this creates a warning and this varibale is empty | |
# I think because the tcp termination is done in public_ssl | |
# tcp-request content capture req.ssl_sni len 25 | |
# Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) | |
http-request del-header Proxy | |
# from doc: front connection was made via an SSL/TLS transport | |
# When I use a tcp frontend and chain it via backend/frontend, | |
# like in this config, is this fe a front connection? | |
http-request redirect scheme https unless { ssl_fc_has_sni } | |
http-request set-header X-Forwarded-Proto https | |
# added from option forwardfor http-request set-header X-Forwarded-For %[src] | |
# makes this sence? | |
http-request set-header X-Forwarded-Host %[ssl_fc_sni] | |
## this does not work | |
#acl host_nc req.ssl_sni -i cloud.DOMAIN.com | |
# I would like to use this | |
# should this work? | |
# maybe a map would be better? | |
# use_backend nextcloud-backend if ssl_fc_sni -i cloud.DOMAIN.com | |
# https://www.haproxy.com/blog/introduction-to-haproxy-maps/ | |
use_backend %[req.hdr(host),lower,map(http-domain2backend-map.txt)] | |
## | |
## Frontend for Galera Cluster | |
## | |
frontend galera-tcp-in | |
bind 127.0.0.1:3306 | |
default_backend galera-backend | |
## | |
## Frontend for LDAP Cluster | |
## | |
frontend ldap-tcp-in | |
bind 127.0.0.1:389 | |
default_backend ldap-backend | |
## | |
## Frontend for LDAP Cluster (encrypted) | |
## | |
frontend ldaps-tcp-in | |
bind 127.0.0.1:636 | |
default_backend ldaps-backend | |
#--------------------------------------------------------------------- | |
# backends | |
#--------------------------------------------------------------------- | |
## backend for cloud.DOMAIN.com | |
backend nextcloud-backend | |
mode http | |
redirect scheme https if !{ ssl_fc } | |
option httpclose | |
option forwardfor | |
option httpchk GET / HTTP/1.1\r\nHost:\ cloud.-MyDomain-.com | |
server -MyDomain-cloud 127.0.0.1:81 check | |
## backend for dashboard.DOMAIN.com | |
backend dashboard-backend | |
mode http | |
redirect scheme https if !{ ssl_fc } | |
balance roundrobin | |
option httpclose | |
option forwardfor | |
server -MyDomain-cloud 127.0.0.1:82 check | |
## backend for upload.DOMAIN.im | |
backend httpupload-backend | |
log global | |
mode http | |
server -MyDomain-cloud 127.0.0.1:8443 check | |
## backend for DOMAIN.im (XMPP C2S) | |
listen xmppc2s-backend | |
bind 127.0.0.1:10442 accept-proxy ssl strict-sni crt /usr/local/etc/haproxy/upload-MyDomain-com.pem crt /usr/local/etc/haproxy/-MyDomain-com.pem | |
log global | |
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq ssl_fc_has_sni '%[ssl_fc_has_sni]' sni:'%[capture.req.hdr(0)]' ssl_fc_sni '%[ssl_fc_sni]' ssl_fc_protocol '%[ssl_fc_protocol]' ssl_bc '%[ssl_bc]' ssl_bc_alpn '%[ssl_bc_alpn]' ssl_bc_protocol '%[ssl_bc_protocol]' ssl_c_i_dn '%[ssl_c_i_dn()]' ssl_c_s_dn '%[ssl_c_s_dn()]' ssl_f_i_dn '%[ssl_f_i_dn()]' ssl_f_s_dn '%[ssl_f_s_dn]' ssl_fc_cipher '%[ssl_fc_cipher]' " | |
server -MyDomain-cloud 127.0.0.1:5223 check ssl check-ssl verify none check-sni str('-MyDomain-.im') sni str('-MyDomain-.im') ssl-min-ver TLSv1.2 | |
backend galera-backend | |
balance leastconn | |
server db01 88.99.210.11:3306 check | |
server db02 88.99.210.46:3306 check | |
backend ldap-backend | |
balance leastconn | |
server db01 88.99.210.11:389 check | |
server db02 88.99.210.46:389 check | |
backend ldaps-backend | |
balance roundrobin | |
server db01 88.99.210.11:636 check | |
server db02 88.99.210.46:636 check | |
#--------------------------------------------------------------------- | |
# stats page is hosted at different port | |
#--------------------------------------------------------------------- | |
listen stats | |
bind *:10000 | |
mode http | |
stats enable | |
stats hide-version | |
stats realm Haproxy\ Statistics | |
stats uri /stats | |
stats auth USER:PASS | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment