Last active
October 27, 2015 16:52
-
-
Save komuw/1c25609cbd695696afb0 to your computer and use it in GitHub Desktop.
https in haproxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #/etc/haproxy/haproxy.cfg | |
| frontend http-in | |
| bind *:{{APP_PORT}} | |
| mode http | |
| default_backend servers | |
| frontend https-in | |
| bind *:{{APP_PORT_HTTPS}} ssl no-sslv3 crt /etc/haproxy/server_cert.pem | |
| reqadd X-Forwarded-Proto:\ https | |
| default_backend servers | |
| backend servers | |
| #if you use redirect prefix the HTTP Location header is built from the concatenation of | |
| #<pfx> var and the complete URI path: haproxy DOCS | |
| #HTTP code 307 does a temporary redirect but does not auto convert HTTP methods to GET | |
| #u can use code 308 which is permanent redirect and also doesnt auto convert HTTP methods | |
| #its however experimental and is not supported by older clients/browsers | |
| {% for host in groups['load_balancers'] %} | |
| redirect prefix https://{{host}}:{{APP_PORT_HTTPS}} code 307 if !{ ssl_fc } | |
| {% endfor %} | |
| balance roundrobin | |
| option forwardfor | |
| option httpchk HEAD / HTTP/1.1\r\nHost:localhost | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| #use private IPs here since we are sending unencrypted traffic | |
| {% for host in groups['private_ips'] %} | |
| server {{ host }} {{ host }}:{{ NGINX_PORT }} check | |
| {% endfor %} | |
| #server_cert.pem is constructed as | |
| cat server.crt server.key > server_cert.pem | |
| # a better option: concatenate everything together | |
| cat server.crt server.key intermedidate.pem CA_cert.pem > server_bundle.pem then; | |
| bind *:{{APP_PORT_HTTPS}} ssl no-sslv3 crt /etc/haproxy/server_bundle.pem #dont add a ca-file | |
| #the ca-file option is rarely required | |
| #to use as forward proxy: | |
| frontend thirdparty_service_https_in | |
| bind *:5500 | |
| option tcplog | |
| mode tcp #imopiortant | |
| default_backend thirdparty_server | |
| backend thirdparty_server | |
| mode tcp | |
| option ssl-hello-chk | |
| server thirdparty_server_name 54.175.222.246:80 #the port must be there. | |
| #so lets say u have my_app1_ip, my_app2_ip and my_lb_ip to make a req to https://54.175.222.246:80/get (httpbin.org/get) | |
| #u can do: | |
| curl -vLk my_lb_ip:5500/get and it will be forawrded to https://54.175.222.246:80/get | |
| #optionally u could just use redirect | |
| backend thirdparty_server | |
| redirect prefix https://54.175.222.246:80 code 307 if !{ ssl_fc } | |
| #notice we didn't set mode in this case | |
| ##Serve http and https from same port: | |
| # listen for TCP traffic on the default port | |
| frontend http-in | |
| bind *:7500 | |
| option tcplog | |
| mode tcp | |
| tcp-request inspect-delay 2s #slow down each request by 2seconds | |
| tcp-request content accept if HTTP | |
| use_backend default_servers if HTTP | |
| default_backend ssl_servers | |
| #handle https traffic | |
| backend ssl_servers | |
| mode tcp | |
| server ssl_frontend {{ this_servers_internal_ip_addr }}:{{ HTTPS_PORT }} send-proxy | |
| frontend ssl_frontend | |
| bind *:{HTTPS_PORT}} accept-proxy ssl no-sslv3 crt /path/to/server_cert.pem ca-file /path/to/RootCA.pem | |
| mode http | |
| reqadd X-Forwarded-Proto:\ https | |
| # ideally; send to backend with app servers listening on private ports, since we've decrypted the traffic | |
| default_backend servers | |
| backend default_servers | |
| balance roundrobin | |
| option forwardfor | |
| option httpchk HEAD / HTTP/1.1\r\nHost:localhost | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| {% for host in groups['app_servers'] %} | |
| server {{ host }} {{ host }}:{{ APP_PORT }} check | |
| {% endfor %} | |
| ##another method for http/https in same port | |
| frontend http_front | |
| bind *:{{ACCEPT_PROXY_PORT}} accept-proxy name http_frontend | |
| bind *:{{APP_PORT}} | |
| #HSTS (15768000 seconds = 6 months) | |
| rspadd Strict-Transport-Security:\ max-age=15768000 | |
| default_backend server | |
| listen ssl_frontend | |
| bind *:{{HTTPS_PORT}} ssl no-sslv3 crt /etc/haproxy/server.pem ca-file /etc/haproxy/CA.pem | |
| reqadd X-Forwarded-Proto:\ https | |
| mode tcp | |
| server http_front *:{{ACCEPT_PROXY_PORT}} send-proxy | |
| backend server | |
| balance roundrobin | |
| server {{ host }} {{ host }}:{{ APP_PORT }} check | |
| ##STILL another method for http/https on same port | |
| frontend http_in | |
| bind *:{{HTTP_PORT}} | |
| {% for a_host in groups['my_load_balancers'] %} | |
| redirect prefix https://{{a_host}}:{{HTTPS_PORT}} code 307 if !{ ssl_fc } | |
| {% endfor %} | |
| listen ssl_in | |
| bind *:{{HTTPS_PORT}} ssl no-sslv3 crt /etc/haproxy/cert.pem ca-file /etc/haproxy/CAbundle.pem | |
| reqadd X-Forwarded-Proto:\ https | |
| mode tcp #dont use tcp is u plan to use acl | |
| #HSTS (6 months) | |
| rspadd Strict-Transport-Security:\ max-age=15768000 | |
| default_backend server | |
| backend server | |
| balance roundrobin | |
| server {{ host }} {{ host }}:{{ APP_PORT }} check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment