kehers · October 13, 2021 17:37 · Sep 7, 2015 · Sep 7, 2015 · Sep 4, 2015 · Jul 17, 2015
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -1,51 +1,66 @@
 global
-        log /dev/log    local0
-        log /dev/log    local1 notice
-        chroot /var/lib/haproxy
-        user haproxy
-        group haproxy
-        daemon
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /var/www/ssl/
+
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+
+  tune.ssl.default-dh-param 2048
 
 defaults
-        log     global
-        mode    http
-        option  httplog
-        option  dontlognull
-        contimeout 5000
-        clitimeout 50000
-        srvtimeout 50000
-        errorfile 400 /etc/haproxy/errors/400.http
-        errorfile 403 /etc/haproxy/errors/403.http
-        errorfile 408 /etc/haproxy/errors/408.http
-        errorfile 400 /etc/haproxy/errors/400.http
-        errorfile 403 /etc/haproxy/errors/403.http
-        errorfile 408 /etc/haproxy/errors/408.http
-        errorfile 500 /etc/haproxy/errors/500.http
-        errorfile 502 /etc/haproxy/errors/502.http
-        errorfile 503 /etc/haproxy/errors/503.http
-        errorfile 504 /etc/haproxy/errors/504.http
-        stats enable
-        stats auth someuser:somepassword
-        stats uri /haproxyStats
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+  timeout connect 5000
+  timeout client  50000
+  timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
 
 frontend http-in
-        bind :80
-        default_backend app
+  bind :80
+  reqadd X-Forwarded-Proto:\ http
+  default_backend app
+
+  # is this a socket io request?
+  acl is_websocket path_beg /socket.io
+  acl is_websocket hdr(Upgrade) -i WebSocket AND hdr_beg(Host) -i ws
+  use_backend websocket if is_websocket
+
+frontend https-in
+  bind :443 ssl crt /etc/ssl/private/crt.pem
+  reqadd X-Forwarded-Proto:\ https
+  default_backend app
 
-        # is this a socket io request?
-        acl is_websocket path_beg /socket.io
-        acl is_websocket hdr(Upgrade) -i WebSocket AND hdr_beg(Host) -i ws
-        use_backend websocket if is_websocket
+backend app
+  server node 127.0.0.1:3000 check
 
 backend websocket
-        balance source
-        option forwardfor
-        no option httpclose
-        option http-server-close
-        option forceclose
+  balance source
+  option forwardfor
+  no option httpclose
+  option http-server-close
+  option forceclose
 
-        timeout queue 5s
-        timeout server 24h
-        timeout connect 24h
+  timeout queue 5s
+  timeout server 24h
+  timeout connect 24h
 
-        server node1 localhost:3000 check
+  server node1 localhost:3000 check
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -24,6 +24,9 @@ defaults
         errorfile 502 /etc/haproxy/errors/502.http
         errorfile 503 /etc/haproxy/errors/503.http
         errorfile 504 /etc/haproxy/errors/504.http
+        stats enable
+        stats auth someuser:somepassword
+        stats uri /haproxyStats
 
 frontend http-in
         bind :80

diff --git a/gistfile1.txt b/gistfile1.txt
@@ -29,5 +29,20 @@ frontend http-in
         bind :80
         default_backend app
 
-backend app
-        server node 127.0.0.1:3000 check
+        # is this a socket io request?
+        acl is_websocket path_beg /socket.io
+        acl is_websocket hdr(Upgrade) -i WebSocket AND hdr_beg(Host) -i ws
+        use_backend websocket if is_websocket
+
+backend websocket
+        balance source
+        option forwardfor
+        no option httpclose
+        option http-server-close
+        option forceclose
+
+        timeout queue 5s
+        timeout server 24h
+        timeout connect 24h
+
+        server node1 localhost:3000 check
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,33 @@
+global
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        user haproxy
+        group haproxy
+        daemon
+
+defaults
+        log     global
+        mode    http
+        option  httplog
+        option  dontlognull
+        contimeout 5000
+        clitimeout 50000
+        srvtimeout 50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+frontend http-in
+        bind :80
+        default_backend app
+
+backend app
+        server node 127.0.0.1:3000 check