Last active
July 25, 2019 16:51
-
-
Save meanevo/e70ca58e361fb4d1a9d262a8f12b173a to your computer and use it in GitHub Desktop.
H2, HTTP/1.1 traffic balance/routing with HAProxy 1.7 (with SSL-Termination) and Nginx 1.10.2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #--------------------------------------------------------------------- | |
| # Global settings | |
| #--------------------------------------------------------------------- | |
| global | |
| daemon | |
| chroot /var/lib/haproxy | |
| pidfile /var/run/haproxy.pid | |
| maxconn 2048 | |
| user haproxy | |
| group haproxy | |
| log 127.0.0.1 local2 | |
| stats socket /var/lib/haproxy/stats | |
| # SSL Settings @ https://www.ssllabs.com/ssltest | |
| tune.ssl.default-dh-param 2048 | |
| ssl-default-bind-options no-sslv3 no-tls-tickets | |
| ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
| #--------------------------------------------------------------------- | |
| # common defaults that all the 'listen' and 'backend' sections will | |
| # use if not designated in their block | |
| #--------------------------------------------------------------------- | |
| defaults | |
| mode http | |
| log global | |
| option dontlog-normal | |
| retries 3 | |
| timeout http-request 10s | |
| timeout queue 1m | |
| timeout connect 10s | |
| timeout client 1m | |
| timeout server 1m | |
| timeout http-keep-alive 10s | |
| timeout check 5s | |
| #--------------------------------------------------------------------- | |
| # frontend which handles http request and redirects to https | |
| #--------------------------------------------------------------------- | |
| frontend http-local | |
| bind :::80 v4v6 | |
| option http-server-close | |
| option forwardfor | |
| # Redirect to https if not meeting exceptions defined below | |
| acl ssl_conn ssl_fc | |
| redirect scheme https code 301 unless ssl_conn | |
| #--------------------------------------------------------------------- | |
| # 1) frontend which terminates ssl and proxys clear http traffic | |
| #--------------------------------------------------------------------- | |
| frontend https-local | |
| bind :::443 v4v6 ssl crt /etc/ssl/certs/haproxy | |
| option forwardfor | |
| acl application ssl_fc_sni_end -i example.com | |
| use_backend cluster-application if application | |
| default_backend local-default-http11 | |
| #--------------------------------------------------------------------- | |
| # 2) frontend which terminates ssl and proxys raw http2 traffic | |
| #--------------------------------------------------------------------- | |
| frontend https-http2-local | |
| bind :::443 v4v6 ssl crt /etc/ssl/certs/haproxy alpn h2,http/1.1 | |
| mode tcp | |
| option tcpka | |
| # Wait for a client hello for at most 5 seconds | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| acl speak_alpn_h2 ssl_fc_alpn -i h2 | |
| use_backend local-default-http2 if speak_alpn_h2 | |
| default_backend local-default-http11 | |
| #--------------------------------------------------------------------- | |
| # backend which handles plain http/1.1 request | |
| #--------------------------------------------------------------------- | |
| backend local-default-http11 | |
| http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" | |
| server nginx_http 127.0.0.1:5008 check send-proxy | |
| #--------------------------------------------------------------------- | |
| # backend which handles plain raw http/2 request | |
| #--------------------------------------------------------------------- | |
| backend local-default-http2 | |
| mode tcp | |
| # maximum SSL session ID length is 32 bytes. | |
| stick-table type binary len 32 size 30k expire 30m | |
| acl clienthello req_ssl_hello_type 1 | |
| acl serverhello rep_ssl_hello_type 2 | |
| # use tcp content accepts to detects ssl client and server hello. | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if clienthello | |
| # no timeout on response inspect delay by default. | |
| tcp-response content accept if serverhello | |
| # SSL session ID (SSLID) may be present on a client or server hello. | |
| # Its length is coded on 1 byte at offset 43 and its value starts | |
| # at offset 44. | |
| # Match and learn on request if client hello. | |
| stick on payload_lv(43,1) if clienthello | |
| # learn on response if server hello. | |
| stick store-response payload_lv(43,1) if serverhello | |
| server nginx_http2 127.0.0.1:5009 check send-proxy | |
| #--------------------------------------------------------------------- | |
| # backends for specified usage | |
| #--------------------------------------------------------------------- | |
| backend local-application | |
| balance roundrobin | |
| server app1 10.0.0.201:80 check | |
| server app2 10.0.0.202:80 check | |
| server app3 1.2.3.4:443 check backup ssl verify none | |
| server app4 5.6.7.8:443 check backup ssl verify none |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 127.0.0.1:5008 proxy_protocol default_server; # HTTP/1.1 server as fallback_server; | |
| listen [::1]:5008 proxy_protocol default_server; | |
| listen 127.0.0.1:5009 http2 proxy_protocol default_server; # HTTP/2 server without SSL as we have terminated it at haproxy | |
| listen [::1]:5009 http2 proxy_protocol default_server; | |
| server_name _; | |
| server_tokens off; | |
| set_real_ip_from 127.0.0.1; # IP or subnet of your Load-balancers | |
| real_ip_header proxy_protocol; | |
| real_ip_recursive on; | |
| ## Headers | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| ## < CUSTOMIZE WITH YOUR NGINX ROOT/LOCATION SETTINGS BELOW > ## | |
| ## Document root | |
| root /Library/WebServer/Documents; | |
| location / { | |
| index index.html index.htm index.php; | |
| try_files $uri $uri/ =404; | |
| } | |
| ## Pass the PHP scripts to FastCGI server listening on socket | |
| location ~ \.php$ { | |
| try_files $uri /index.php =404; | |
| fastcgi_pass unix:/var/opt/remi/php71/run/php-fpm/php-fpm.sock; | |
| fastcgi_index index.php; | |
| fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; | |
| fastcgi_param DOCUMENT_ROOT $realpath_root; | |
| include fastcgi_params; | |
| } | |
| ## Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store(Mac) | |
| location ~ /\. { | |
| deny all; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Looks to be great work. Testing soon, thanks!