Skip to content

Instantly share code, notes, and snippets.

@marthydavid

marthydavid/haproxy.cfg

Created November 28, 2020 15:15
Show Gist options
  • Save marthydavid/be68577b63cebb2138483d23deb0697b to your computer and use it in GitHub Desktop.
Save marthydavid/be68577b63cebb2138483d23deb0697b to your computer and use it in GitHub Desktop.
Download ZIP
freeipa-haproxy.cfg
Raw
haproxy.cfg
frontend https
bind 10.0.0.100:443 tfo ssl crt /etc/pki/tls/certs/haproxy/my.own.domain.pem
mode http
option forwardfor except 127.0.0.0/8
option http-keep-alive
timeout http-request 10s
timeout http-keep-alive 10s
http-response set-header Strict-Transport-Security max-age=1576800
http-response set-header X-Frame-Options sameorigin
http-response set-header X-Forwarded-Proto https
http-response set-header Cache-Control no-cache,\ max-age=600
http-response set-header X-XSS-Protection 1
http-response set-header X-Content-Type-Options nosniff
capture request header x-request-id len 128
capture request header x-transaction-id len 64
capture response header x-request-id len 128
capture response header x-transaction-id len 64
capture request header X-Forwarded-For len 128
capture response header X-Forwarded-For len 128
option httplog
log-format '{"backend_concurrent_conns": "%bc", "backend_name": "%b", "backend_queue": "%bq", "bytes_read": "%B", "
bytes_uploaded": "%U", "captured_request_cookie": "%CC", "captured_request_headers": "%hr", "captured_response_cook
ie": "%CS", "captured_response_headers": "%hs", "client_cert_issuer_dn": "%[ssl_c_i_dn]", "client_cert_presented":
"%[ssl_c_used]", "client_cert_subject_dn": "%[ssl_c_s_dn]", "client_connect_time": "%Th", "client_idle_time": "%Ti"
, "client_ip": "%ci", "client_port": "%cp", "client_total_time": "%TR", "concurrent_connections_per_process": "%ac"
, "date_time": "%t", "frontend_concurrent_connections": "%fc", "frontend_name": "%ft", "http_method": "%HM", "http_
request_uri": "%HU", "http_request_version": "%HV", "http_status_code": "%ST", "retries": "%rc", "server_connect_ti
me": "%Tc", "server_connections": "%sc", "server_name": "%s", "server_queue": "%sq", "server_response_time": "%Tr",
"termination_state_with_cookie_status": "%tsc", "total_queue_time": "%Tw", "total_session_time": "%Tt"}'
acl is_root path -i /
acl host_ipa hdr_dom(host) -i ipa
redirect code 301 location https://ipa.my.own.domain/ipa/ui if is_root host_ipa
use_backend ipa_https if host_ipa
backend ipa_https
mode http
balance roundrobin
cookie SERVERID insert indirect nocache secure httponly
http-request set-header SERVERID %{+Q}[req.cook(SERVERID)]
http-request add-header X-Forwarded-Proto https
option http-keep-alive
http-reuse always
timeout http-request 10s
timeout http-keep-alive 10s
redirect scheme https if !{ ssl_fc }
cookie SERVERID insert indirect nocache httponly secure
acl hdr_ipabd01 req.cook(SERVERID) -m sub 10.61.136.101
acl hdr_ipabd02 req.cook(SERVERID) -m sub 10.61.136.102
http-request replace-header Referer ^https://.*\.my\.own\.domain(.*)$ https://ipa01\.my\.own\.domain\1 if hdr_ipa01
http-request replace-header Referer ^https://.*\.my\.own\.domain(.*)$ https://ipabd02\.my\.own\.domain\1 if hdr_ipa02
acl hdr_set_cookie_dom_ipabd02 res.hdr(Set-cookie) -m sub Domain=ipabd02.my.own.domain
http-response replace-header Set-Cookie Domain=ipa02.my.own.domain(.*) Domain=ipa.my.own.domain\1 if hdr_set_cookie_dom_ipabd02
acl hdr_set_cookie_dom_ipabd01 res.hdr(Set-cookie) -m sub Domain=ipabd01.my.own.domain
http-response replace-header Set-Cookie Domain=ipa01.my.own.domain(.*) Domain=ipa.my.own.domain\1 if hdr_set_cookie_dom_ipabd01
server 10.0.0.101 10.0.0.101:443 check cookie 10.0.0.101 ssl check verify none sni req.hdr(Host)
server 10.0.0.102 10.0.0.102:443 check cookie 10.0.0.102 ssl check verify none sni req.hdr(Host)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment