digitaldemocratic/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf

25 lines
912 B
Plaintext
Raw Normal View History

#
# BEGIN: bind-direct.cnf
#
bind :80
http-request redirect scheme https code 301 unless { ssl_fc }
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
bind :443 ssl crt /certs/chain.pem
# This comes from the internet, do not trust the forwarding headers
http-request del-header X-Forwarded-For
http-request del-header X-Forwarded-Proto
# But add our forwarding headers instead
option forwardfor
# We are always doing TLS, except for redirections
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-Forwarded-Proto https
# New line to test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt if letsencrypt-acl
#
# END: bind-direct.cnf
#