Created
February 13, 2015 16:42
-
-
Save pweil-/fdf913d26c08f082be31 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| os_http_be.map and os_sni_passthrough.map are both just empty files |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| # maxconn 4096 | |
| user haproxy | |
| group haproxy | |
| daemon | |
| ca-base /etc/ssl | |
| crt-base /etc/ssl | |
| stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin | |
| stats timeout 2m | |
| defaults | |
| # maxconn 4096 | |
| # Add x-forwarded-for header. | |
| timeout connect 5s | |
| timeout client 30s | |
| timeout server 30s | |
| # Long timeout for WebSocket connections. | |
| timeout tunnel 1h | |
| frontend public | |
| bind :80 | |
| mode http | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if HTTP | |
| use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE | |
| default_backend openshift_default | |
| # public ssl accepts all connections and isn't checking certificates yet certificates to use will be | |
| # determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend | |
| # that terminates encryption in this router (edge) | |
| frontend public_ssl | |
| bind :443 | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend | |
| acl sni req.ssl_sni -m found | |
| acl sni_passthrough req.ssl_sni,map(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found | |
| use_backend be_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough | |
| # if the route is SNI and NOT passthrough enter the termination flow | |
| use_backend be_sni if { req.ssl_sni -m found } | |
| # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it | |
| # will not be able to match a cert to an SNI host | |
| default_backend be_no_sni | |
| ########################################################################## | |
| # TLS SNI | |
| # | |
| # When using SNI we can terminate encryption with custom certificates. | |
| # Certs will be stored in a directory and will be matched with the SNI host header | |
| # which must exist in the CN of the certificate. Certificates must be concatenated | |
| # as a single file (handled by the plugin writer) per the haproxy documentation. | |
| # | |
| # Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted | |
| # traffic | |
| ########################################################################## | |
| backend be_sni | |
| server fe_sni 127.0.0.1:10444 weight 1 send-proxy | |
| frontend fe_sni | |
| # terminate ssl on edge | |
| bind 127.0.0.1:10444 ssl crt /var/lib/containers/router/certs accept-proxy | |
| mode http | |
| # re-ssl? | |
| acl reencrypt hdr(host),map(/var/lib/haproxy/conf/os_reencrypt.map) -m found | |
| use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/os_tcp_be.map)] if reencrypt | |
| # regular http | |
| use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE | |
| default_backend openshift_default | |
| ########################################################################## | |
| # END TLS SNI | |
| ########################################################################## | |
| ########################################################################## | |
| # TLS NO SNI | |
| # | |
| # When we don't have SNI the only thing we can try to do is terminate the encryption | |
| # using our wild card certificate. Once that is complete we can either re-encrypt | |
| # the traffic or pass it on to the backends | |
| ########################################################################## | |
| # backend for when sni does not exist, or ssl term needs to happen on the edge | |
| backend be_no_sni | |
| server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy | |
| frontend fe_no_sni | |
| # terminate ssl on edge | |
| bind 127.0.0.1:10443 ssl crt /var/lib/haproxy/conf/default_pub_keys.pem accept-proxy | |
| # re-ssl? | |
| acl reencrypt hdr(host),map(/var/lib/haproxy/conf/os_reencrypt.map) -m found | |
| use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/os_tcp_be.map)] if reencrypt | |
| # regular http | |
| use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE | |
| default_backend openshift_default | |
| ########################################################################## | |
| # END TLS NO SNI | |
| ########################################################################## | |
| backend openshift_default | |
| mode http | |
| option forwardfor | |
| #option http-keep-alive | |
| option http-pretend-keepalive | |
| server openshift_backend 127.0.0.1:8080 | |
| ##-------------- app level unencrypted backends ---------------- | |
| backend be_secure_hello-ws-secure | |
| balance leastconn | |
| timeout check 5000ms | |
| server hello-ws-secure 172.17.0.13:9443 ssl verify none | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www.example2.com 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www.example2.com hello-ws-secure |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment