Created
September 14, 2016 21:06
-
-
Save patmandenver/9e65c1f558fef5d515387e64764bae58 to your computer and use it in GitHub Desktop.
Final haproxy.cfg for letsencrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
log 127.0.0.1 syslog | |
maxconn 1000 | |
user haproxy | |
group haproxy | |
daemon | |
tune.ssl.default-dh-param 4096 | |
ssl-default-bind-options no-sslv3 no-tls-tickets | |
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | |
defaults | |
log global | |
mode http | |
option httplog | |
option dontlognull | |
option http-server-close | |
option forwardfor except 127.0.0.0/8 | |
option redispatch | |
option contstats | |
retries 3 | |
timeout http-request 10s | |
timeout queue 1m | |
timeout connect 10s | |
timeout client 1m | |
timeout server 1m | |
timeout check 10s | |
########################################### | |
# | |
# HAProxy Stats page | |
# | |
########################################### | |
listen stats | |
bind *:9090 | |
mode http | |
maxconn 10 | |
stats enable | |
stats hide-version | |
stats realm Haproxy\ Statistics | |
stats uri / | |
stats auth admin:admin | |
########################################### | |
# | |
# Front end for all | |
# | |
########################################### | |
frontend ALL | |
bind *:80 | |
bind *:443 ssl crt /etc/haproxy/certs/bar.test.10x13.com.pem crt /etc/haproxy/certs/foo.test.10x13.com.pem | |
mode http | |
# Define path for lets encrypt | |
acl is_letsencrypt path_beg -i /.well-known/acme-challenge/ | |
use_backend letsencrypt if is_letsencrypt | |
# Define hosts | |
acl host_foo hdr(host) -i foo.test.10x13.com | |
acl host_bar hdr(host) -i bar.test.10x13.com | |
# Direct hosts to backend | |
use_backend foo if host_foo | |
use_backend bar if host_bar | |
# Redirect port 80 to 443 | |
# But do not redirect letsencrypt since it checks port 80 and not 443 | |
redirect scheme https code 301 if !{ ssl_fc } !is_letsencrypt | |
########################################### | |
# | |
# Back end letsencrypt | |
# | |
########################################### | |
backend letsencrypt | |
server letsencrypt 127.0.0.1:8888 | |
########################################### | |
# | |
# Back end for foo | |
# | |
########################################### | |
backend foo | |
balance roundrobin | |
option httpchk GET /check | |
http-check expect rstring ^UP$ | |
default-server inter 3s fall 3 rise 2 | |
server server1 192.168.0.10:8080 check | |
server server2 192.168.0.11:8080 check | |
########################################### | |
# | |
# Back end for bar | |
# | |
########################################### | |
backend bar | |
balance roundrobin | |
option httpchk GET /check | |
http-check expect rstring ^UP$ | |
default-server inter 3s fall 3 rise 2 | |
server server1 192.168.0.12:8080 check | |
server server2 192.168.0.13:8080 check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment