Created
December 10, 2019 22:52
-
-
Save mmiranda/a04da8f0486f514b18f81778af0a0465 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log 127.0.0.1 local2 info | |
| maxconn 4096 | |
| chroot /var/lib/haproxy | |
| pidfile /var/run/haproxy.pid | |
| stats socket /var/lib/haproxy/stats mode 600 level admin | |
| stats timeout 30m | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # ssl settings, as we want to get pretty result | |
| # @ https://www.ssllabs.com/ssltest | |
| tune.ssl.default-dh-param 2048 | |
| ssl-default-bind-options no-sslv3 no-tls-tickets | |
| ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
| defaults | |
| mode tcp | |
| log global | |
| #option httplog | |
| option dontlognull | |
| option tcpka | |
| retries 3 | |
| timeout http-request 10s | |
| timeout queue 1m | |
| timeout connect 10s | |
| timeout client 10m | |
| timeout server 10m | |
| timeout http-keep-alive 10s | |
| timeout check 10s | |
| #--------------------------------------------------------------------- | |
| # main frontend which proxys to the backends | |
| #--------------------------------------------------------------------- | |
| frontend myfront | |
| bind :::443 v4v6 | |
| default_backend proxy_https | |
| # use tcp content accepts to detects ssl client and server hello. | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| #--------------------------------------------------------------------- | |
| # round robin balancing between the various backends | |
| #--------------------------------------------------------------------- | |
| backend proxy_https | |
| #mode http | |
| balance roundrobin | |
| # maximum SSL session ID length is 32 bytes. | |
| stick-table type binary len 32 size 30k expire 30m | |
| acl clienthello req_ssl_hello_type 1 | |
| acl serverhello rep_ssl_hello_type 2 | |
| # use tcp content accepts to detects ssl client and server hello. | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if clienthello | |
| # no timeout on response inspect delay by default. | |
| tcp-response content accept if serverhello | |
| # SSL session ID (SSLID) may be present on a client or server hello. | |
| # Its length is coded on 1 byte at offset 43 and its value starts | |
| # at offset 44. | |
| # Match and learn on request if client hello. | |
| stick on payload_lv(43,1) if clienthello | |
| # learn on response if server hello. | |
| stick store-response payload_lv(43,1) if serverhello | |
| server server1 proxying_to_another_elb:443 check send-proxy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment