Created
June 5, 2019 09:33
-
-
Save pwrliang/70fe822f1b6acea7b90fdf991467f38e to your computer and use it in GitHub Desktop.
利用Haproxy使Ocserv和HTTPS工作在同一端口
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # Default SSL material locations | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| # Default ciphers to use on SSL-enabled listening sockets. | |
| # For more information, see ciphers(1SSL). This list is from: | |
| # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
| # An alternative list with additional directives can be obtained from | |
| # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | |
| ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | |
| ssl-default-bind-options no-sslv3 | |
| frontend https-in | |
| bind *:443 | |
| tcp-request inspect-delay 3s | |
| tcp-request content accept if { req.ssl_hello_type 1 } | |
| acl tls req.ssl_hello_type 1 | |
| acl has_sni req.ssl_sni -m found | |
| use_backend ocserv if tls { req.ssl_sni -i ssl.example.com } | |
| use_backend https-out if tls { req.ssl_sni -i www.example.com } | |
| backend ocserv | |
| mode tcp | |
| option ssl-hello-chk | |
| server server-vpn 127.0.0.1:4444 send-proxy-v2 # ocserv工作在本地999端口 | |
| backend https-out | |
| server server-web 127.0.0.1:4443 check # https工作在本地4443端口 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment