seidler2547 · September 15, 2017 13:22 · jult · May 30, 2023
diff --git a/etc_network_interfaces b/etc_network_interfaces
 [ ... ]

 auto vmbr0
 iface vmbr0 inet static
    [ ... ]
    post-up echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
    post-up iptables -t mangle -N DIVERT
    post-up iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
    post-up iptables -t mangle -A DIVERT -j MARK --set-mark 74
    post-up iptables -t mangle -A DIVERT -j ACCEPT
    post-up ip rule add fwmark 74 lookup 100
    post-up ip route add local 0.0.0.0/0 dev lo table 100

 [ ... ]
diff --git a/haproxy.cfg b/haproxy.cfg
 global
 	log /dev/log	local1 notice
 	chroot /var/lib/haproxy
 	daemon

 	maxconn 256

 	# Default SSL material locations
 	ca-base /etc/ssl/certs
 	crt-base /etc/ssl/private

 	# set default parameters to the intermediate configuration
 	tune.ssl.default-dh-param 2048
 	ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 	ssl-default-bind-options no-sslv3 no-tls-tickets
 	ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 	ssl-default-server-options no-sslv3 no-tls-tickets

 defaults
 	log	global
 	mode	http
 	option	dontlognull
 	timeout connect 6000
 	timeout client 900000ms
 	timeout server 900000ms
 	errorfile 400 /etc/haproxy/errors/400.http
 	errorfile 403 /etc/haproxy/errors/403.http
 	errorfile 408 /etc/haproxy/errors/408.http
 	errorfile 500 /etc/haproxy/errors/500.http
 	errorfile 502 /etc/haproxy/errors/502.http
 	errorfile 503 /etc/haproxy/errors/503.http
 	errorfile 504 /etc/haproxy/errors/504.http

 listen http-in
  # replace 1.2.3.4 with your public IP
 	bind 1.2.3.4:80 transparent     # transparent here
 	source 0.0.0.0 usesrc clientip  # and usesrc clientip here make the requests appear from the real IPv4

  # fake server for requests not going to any of the domains below
 	server nomatch 1.1.1.1:80

 	use-server dom1 if { req.hdr(Host) -m end mydomain1.com }
 	    server dom1 192.168.24.101:80

 	use-server dom2 if { req.hdr(Host) -m end mydomain2.com }
 	    server dom2 192.168.24.102:80

  use-server dom3 if { req.hdr(Host) -m end sub1.mydomain3.com }
 	    server dom3 192.168.24.103:80

 listen https-in
 	mode tcp
  # replace 1.2.3.4 with your public IP
 	bind 1.2.3.4:443 transparent
 	source 0.0.0.0 usesrc clientip

  # inspect SNI headers
 	tcp-request inspect-delay 5s
 	tcp-request content accept if { req.ssl_hello_type 1 }
 	tcp-request content reject

  # again, fake default server
 	server nomatch 1.1.1.1:443

 	use-server dom1_ssl if { req_ssl_sni -m end mydomain1.com }
 	    server dom1_ssl 192.168.24.101:443

 	use-server dom2_ssl if { req_ssl_sni -m end mydomain2.com }
 	    server dom2_ssl 192.168.24.102:443

 	use-server dom3_ssl if { req_ssl_sni -m end sub1.mydomain3.com }
 	    server dom3_ssl 192.168.24.103:443
	[ ... ]

	auto vmbr0
	iface vmbr0 inet static
	[ ... ]
	post-up echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
	post-up iptables -t mangle -N DIVERT
	post-up iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
	post-up iptables -t mangle -A DIVERT -j MARK --set-mark 74
	post-up iptables -t mangle -A DIVERT -j ACCEPT
	post-up ip rule add fwmark 74 lookup 100
	post-up ip route add local 0.0.0.0/0 dev lo table 100

	[ ... ]
	global
	log /dev/log local1 notice
	chroot /var/lib/haproxy
	daemon

	maxconn 256

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# set default parameters to the intermediate configuration
	tune.ssl.default-dh-param 2048
	ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	ssl-default-bind-options no-sslv3 no-tls-tickets
	ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
	ssl-default-server-options no-sslv3 no-tls-tickets

	defaults
	log global
	mode http
	option dontlognull
	timeout connect 6000
	timeout client 900000ms
	timeout server 900000ms
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	listen http-in
	# replace 1.2.3.4 with your public IP
	bind 1.2.3.4:80 transparent # transparent here
	source 0.0.0.0 usesrc clientip # and usesrc clientip here make the requests appear from the real IPv4

	# fake server for requests not going to any of the domains below
	server nomatch 1.1.1.1:80

	use-server dom1 if { req.hdr(Host) -m end mydomain1.com }
	server dom1 192.168.24.101:80

	use-server dom2 if { req.hdr(Host) -m end mydomain2.com }
	server dom2 192.168.24.102:80

	use-server dom3 if { req.hdr(Host) -m end sub1.mydomain3.com }
	server dom3 192.168.24.103:80

	listen https-in
	mode tcp
	# replace 1.2.3.4 with your public IP
	bind 1.2.3.4:443 transparent
	source 0.0.0.0 usesrc clientip

	# inspect SNI headers
	tcp-request inspect-delay 5s
	tcp-request content accept if { req.ssl_hello_type 1 }
	tcp-request content reject

	# again, fake default server
	server nomatch 1.1.1.1:443

	use-server dom1_ssl if { req_ssl_sni -m end mydomain1.com }
	server dom1_ssl 192.168.24.101:443

	use-server dom2_ssl if { req_ssl_sni -m end mydomain2.com }
	server dom2_ssl 192.168.24.102:443

	use-server dom3_ssl if { req_ssl_sni -m end sub1.mydomain3.com }
	server dom3_ssl 192.168.24.103:443