Last active
May 6, 2024 21:14
-
-
Save yuezhu/93184b8d8d9f7d0ada0a186cbcda9273 to your computer and use it in GitHub Desktop.
HAProxy config for HTTPS transmission web interface
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| maxconn 16384 | |
| log 127.0.0.1 len 8192 local0 | |
| log-send-hostname | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # Default SSL material locations | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| # Default ciphers to use on SSL-enabled listening sockets. | |
| # For more information, see ciphers(1SSL). This list is from: | |
| # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
| # An alternative list with additional directives can be obtained from | |
| # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | |
| ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | |
| ssl-default-bind-options no-sslv3 | |
| tune.ssl.default-dh-param 2048 | |
| defaults | |
| log global | |
| mode http | |
| option httplog | |
| option dontlognull | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| userlist admins | |
| group AdminGroup users user1 | |
| user user1 password **** # Generated by `mkpasswd -m sha-512 [password]` | |
| frontend http-in | |
| bind *:80 | |
| mode http | |
| redirect scheme https code 301 if !{ ssl_fc } | |
| frontend https-in | |
| bind *:443 ssl crt /etc/haproxy/certs/cert.pem | |
| mode http | |
| log-format "\"backend_addr\":\"%si\",\"backend_name\":\"%b\",\"request.client_ip\":\"%ci\",\"request.host\":\"%[capture.req.hdr(2),json("utf8s")]\",\"request.method\":\"%HM\",\"request.path\":\"%HU\",\"request.useragent\":\"%[capture.req.hdr(1),json("utf8s")]\",\"resp.code\":%ST,\"retries_count\":\"%rc\",\"session_duration_ms\":%Tt,\"termination_state\":\"%ts\",\"timestamp\":%Ts,\"captured_request_headers\":%hr,\"captured_response_headers\":%hs" | |
| reqadd X-Forwarded-Proto:\ https | |
| capture request header X-Transmission-Session-Id len 48 | |
| capture response header X-Transmission-Session-Id len 48 | |
| use_backend letsencrypt if { path_beg /.well-known/acme-challenge } | |
| use_backend transmission if { path_beg /transmission } | |
| default_backend deny | |
| backend deny | |
| mode http | |
| http-request deny deny_status 503 | |
| backend transmission | |
| mode http | |
| http-request auth realm MyAuthRealm if !{ http_auth(admins) } | |
| stick-table type binary len 48 size 30k expire 30m | |
| stick store-response hdr(X-Transmission-Session-Id) | |
| stick on hdr(X-Transmission-Session-Id) | |
| server transmission-daemon 127.0.0.1:9091 | |
| backend letsencrypt | |
| server letsencrypt 127.0.0.1:80 | |
| # /etc/rsyslog.d/49-haproxy.conf | |
| $ModLoad imudp | |
| $UDPServerRun 514 | |
| local0.=info -/var/log/haproxy.log | |
| local0.notice -/var/log/haproxy-status.log | |
| # keep logs in localhost | |
| local0.* ~ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment