kkroesch · June 22, 2023 10:34 · kkroesch · Jun 22, 2023
diff --git a/haproxy.cfg b/haproxy.cfg
 global
 	log /dev/log	local0
 	log /dev/log	local1 notice
 	chroot /var/lib/haproxy
 	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
 	stats timeout 30s
 	user haproxy
 	group haproxy
 	daemon

 	# Default SSL material locations
 	ca-base /etc/ssl/certs
 	crt-base /etc/ssl/private

 	# Default ciphers to use on SSL-enabled listening sockets.
 	# For more information, see ciphers(1SSL). This list is from:
 	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 	# An alternative list with additional directives can be obtained from
 	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
 	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
 	ssl-default-bind-options no-sslv3

 	userlist UsersAuth
 		user waella insecure-password kruschpelecke

 defaults
 	log	global
 	mode	http
 	option	httplog
 	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
 	errorfile 400 /etc/haproxy/errors/400.http
 	errorfile 403 /etc/haproxy/errors/403.http
 	errorfile 408 /etc/haproxy/errors/408.http
 	errorfile 500 /etc/haproxy/errors/500.http
 	errorfile 502 /etc/haproxy/errors/502.http
 	errorfile 503 /etc/haproxy/errors/503.http
 	errorfile 504 /etc/haproxy/errors/504.http

 global
  tune.ssl.default-dh-param 2048

 listen stats
    mode http
 	bind :9000
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics  # Title text for popup window
    stats uri /admin?stats  # Stats URI
    stats auth admin:hawaella  # Authentication credentials

 frontend ssl
    mode tcp
    bind 0.0.0.0:443
    tcp-request inspect-delay 5s
    tcp-request content accept  if  HTTP
    use_backend ssh             if  { payload(0,7) -m bin 5353482d322e30 }
    use_backend main-ssl        if  { req.ssl_hello_type 1 }
    #default_backend openvpn

 frontend main
    bind 127.0.0.1:443 ssl crt /etc/letsencrypt/live/lab.kroesch.net/fullchain.pem accept-proxy
    mode http
    option forwardfor
 	# ACL elasticsearch
 	acl network_allowed src 192.168.1.0/24 2a02:120b:2c10:4d70::/60 138.190.0.0/16 94.130.175.35
 	acl restricted_elastic path_beg /elastic
 	block if restricted_elastic !network_allowed
 	use_backend elasticsearch if { path /elastic } or { path_beg /elastic/ }
 	# ACL kibana
 	acl restricted_kibana path_beg /kibana
 	block if restricted_kibana !network_allowed
 	use_backend kibana if { path /kibana } or { path_beg /kibana/ }
 	# ACL grafana
 	acl restricted_grafana path_beg /grafana
 	block if restricted_grafana !network_allowed
 	use_backend grafana_backend if { path /grafana } or { path_beg /grafana/ }
    default_backend webserver

 backend main-ssl
    mode tcp
    server main-ssl 127.0.0.1:443 send-proxy

 backend openvpn
    mode tcp
    timeout server 2h
    server openvpn-localhost 127.0.0.1:1193

 backend ssh
    mode tcp
    timeout server 2h
    server ssh-localhost 127.0.0.1:22

 backend webserver
    mode http
    option forwardfor
    #redirect scheme https code 301 if !{ ssl_fc }
    server webserver-localhost 127.0.0.1:80

 backend kibana
 	mode http
 	option redispatch
    option forwardfor
    option httpchk GET /
    acl AuthOkay_UsersAuth http_auth(UsersAuth)
    http-request auth realm UserAuth if !AuthOkay_UsersAuth
    reqrep ^([^\ :]*)\ /kibana/(.*) \1\ /\2	
 	server kibana_server 127.0.0.1:5601

 backend grafana_backend
 	mode http
 	http-request set-path %[path,regsub(^/grafana/?,/)]
 	server grafana_server 127.0.0.1:3000
 	
 backend elasticsearch
 	mode http
    acl AuthOkay_UsersAuth http_auth(UsersAuth)
    http-request auth realm UserAuth if !AuthOkay_UsersAuth
 	http-request set-path %[path,regsub(^/elastic/?,/)]
 	server elasticsearch_server 127.0.0.1:9200
	global
	log /dev/log local0
	log /dev/log local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

	userlist UsersAuth
	user waella insecure-password kruschpelecke

	defaults
	log global
	mode http
	option httplog
	option dontlognull
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	global
	tune.ssl.default-dh-param 2048

	listen stats
	mode http
	bind :9000
	stats enable
	stats hide-version
	stats realm Haproxy\ Statistics # Title text for popup window
	stats uri /admin?stats # Stats URI
	stats auth admin:hawaella # Authentication credentials

	frontend ssl
	mode tcp
	bind 0.0.0.0:443
	tcp-request inspect-delay 5s
	tcp-request content accept if HTTP
	use_backend ssh if { payload(0,7) -m bin 5353482d322e30 }
	use_backend main-ssl if { req.ssl_hello_type 1 }
	#default_backend openvpn

	frontend main
	bind 127.0.0.1:443 ssl crt /etc/letsencrypt/live/lab.kroesch.net/fullchain.pem accept-proxy
	mode http
	option forwardfor
	# ACL elasticsearch
	acl network_allowed src 192.168.1.0/24 2a02:120b:2c10:4d70::/60 138.190.0.0/16 94.130.175.35
	acl restricted_elastic path_beg /elastic
	block if restricted_elastic !network_allowed
	use_backend elasticsearch if { path /elastic } or { path_beg /elastic/ }
	# ACL kibana
	acl restricted_kibana path_beg /kibana
	block if restricted_kibana !network_allowed
	use_backend kibana if { path /kibana } or { path_beg /kibana/ }
	# ACL grafana
	acl restricted_grafana path_beg /grafana
	block if restricted_grafana !network_allowed
	use_backend grafana_backend if { path /grafana } or { path_beg /grafana/ }
	default_backend webserver

	backend main-ssl
	mode tcp
	server main-ssl 127.0.0.1:443 send-proxy

	backend openvpn
	mode tcp
	timeout server 2h
	server openvpn-localhost 127.0.0.1:1193

	backend ssh
	mode tcp
	timeout server 2h
	server ssh-localhost 127.0.0.1:22

	backend webserver
	mode http
	option forwardfor
	#redirect scheme https code 301 if !{ ssl_fc }
	server webserver-localhost 127.0.0.1:80

	backend kibana
	mode http
	option redispatch
	option forwardfor
	option httpchk GET /
	acl AuthOkay_UsersAuth http_auth(UsersAuth)
	http-request auth realm UserAuth if !AuthOkay_UsersAuth
	reqrep ^([^\ :])\ /kibana/(.) \1\ /\2
	server kibana_server 127.0.0.1:5601

	backend grafana_backend
	mode http
	http-request set-path %[path,regsub(^/grafana/?,/)]
	server grafana_server 127.0.0.1:3000

	backend elasticsearch
	mode http
	acl AuthOkay_UsersAuth http_auth(UsersAuth)
	http-request auth realm UserAuth if !AuthOkay_UsersAuth
	http-request set-path %[path,regsub(^/elastic/?,/)]
	server elasticsearch_server 127.0.0.1:9200
No results found