Created
March 6, 2016 13:31
-
-
Save luginbash/b97f2ba3745d40483d13 to your computer and use it in GitHub Desktop.
haproxy tls termination with client authentication
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Please set $SRV_TLS_CERT, $SRV_TLS_CA accordingly. | |
| global | |
| maxconn 2048 | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| tune.ssl.default-dh-param 2048 | |
| ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | |
| ssl-default-bind-options no-tls-tickets | |
| chroot /var/lib/haproxy | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # Default ciphers to use on SSL-enabled listening sockets. | |
| # For more information, see ciphers(1SSL). | |
| ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL | |
| defaults | |
| mode http | |
| option http-no-delay | |
| option http-keep-alive | |
| option tcp-smart-accept | |
| option tcp-smart-connect | |
| option tcpka | |
| retries 2 | |
| option redispatch | |
| timeout check 4500 | |
| timeout connect 10s | |
| timeout server 50s | |
| timeout client 50s | |
| timeout tunnel 1h | |
| frontend tls-term | |
| bind 0.0.0.0:5443 ssl crt "$SRV_TLS_CERT" ca-file "$SRV_TLS_CA" verify required no-sslv3 no-tlsv10 no-tlsv11 | |
| use_backend three | |
| backend three | |
| server proxy 127.0.0.1:8080 check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment