digitaldemocratic/dd-waf/docker/haproxy/haproxy.conf

resolvers mydns
    nameserver dns1 127.0.0.11:53

global
    daemon
    log             127.0.0.1    local0
    tune.ssl.default-dh-param 2048
    h1-case-adjust content-type Content-Type
    h1-case-adjust content-encoding Content-Encoding
    h1-case-adjust transfer-encoding Transfer-Encoding

defaults
  mode http
  option  http-server-close
  option  dontlognull
  option  redispatch
  option  contstats
  retries 3
  timeout connect 5s
  timeout http-keep-alive 1s
  # Slowloris protection
  timeout http-request 15s
  timeout queue 30s
  timeout tarpit 1m          # tarpit hold tim
  backlog 10000


frontend tf_waf
  mode http
  bind :80
  # redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
  http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
  http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
  bind :443 ssl crt /certs/chain.pem


  # New line to test URI to see if its a letsencrypt request
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  use_backend letsencrypt if letsencrypt-acl

  default_backend bk_waf

# Traffic secured by the WAF arrives here
frontend ft_web
  bind :81 name http
  mode http
  log global
  option httplog
  timeout client 25s
  maxconn 1000
  default_backend bk_web

backend letsencrypt
  server letsencrypt 127.0.0.1:8080

# WAF farm where users' traffic is routed first
backend bk_waf
  mode http
  server modsecurity dd-waf-apache:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

# application server farm
backend bk_web
  mode http
  server sso dd-sso-haproxy:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

listen stats
        bind                0.0.0.0:9999
        mode                http
        stats               enable
        option              httplog
        stats               show-legends
        stats               uri /haproxy
        stats               realm Haproxy\ Statistics
        stats               refresh 5s
        #stats               auth staging:mypassword
        #acl authorized http_auth(AuthUsers)
        #stats          http-request auth unless authorized
        timeout             connect 5000ms
        timeout             client 50000ms
        timeout             server 50000ms

userlist AuthUsers
    user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.
Initial config modsecurity 2022-10-25 13:48:10 +02:00			`resolvers mydns`
			`nameserver dns1 127.0.0.11:53`

			`global`
			`daemon`
			`log 127.0.0.1 local0`
			`tune.ssl.default-dh-param 2048`
			`h1-case-adjust content-type Content-Type`
			`h1-case-adjust content-encoding Content-Encoding`
			`h1-case-adjust transfer-encoding Transfer-Encoding`

			`defaults`
			`mode http`
			`option http-server-close`
			`option dontlognull`
			`option redispatch`
			`option contstats`
			`retries 3`
			`timeout connect 5s`
			`timeout http-keep-alive 1s`
			`# Slowloris protection`
			`timeout http-request 15s`
			`timeout queue 30s`
			`timeout tarpit 1m # tarpit hold tim`
			`backlog 10000`


			`frontend tf_waf`
			`mode http`
			`bind :80`
			`# redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }`
			`http-request del-header ssl_client_cert unless { ssl_fc_has_crt }`
			`http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }`
			`bind :443 ssl crt /certs/chain.pem`


			`# New line to test URI to see if its a letsencrypt request`
			`acl letsencrypt-acl path_beg /.well-known/acme-challenge/`
			`use_backend letsencrypt if letsencrypt-acl`

			`default_backend bk_waf`

			`# Traffic secured by the WAF arrives here`
			`frontend ft_web`
			`bind :81 name http`
			`mode http`
			`log global`
			`option httplog`
			`timeout client 25s`
			`maxconn 1000`
			`default_backend bk_web`

			`backend letsencrypt`
			`server letsencrypt 127.0.0.1:8080`

			`# WAF farm where users' traffic is routed first`
			`backend bk_waf`
			`mode http`
			`server modsecurity dd-waf-apache:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`# application server farm`
			`backend bk_web`
			`mode http`
			`server sso dd-sso-haproxy:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`listen stats`
			`bind 0.0.0.0:9999`
			`mode http`
			`stats enable`
			`option httplog`
			`stats show-legends`
			`stats uri /haproxy`
			`stats realm Haproxy\ Statistics`
			`stats refresh 5s`
			`#stats auth staging:mypassword`
			`#acl authorized http_auth(AuthUsers)`
			`#stats http-request auth unless authorized`
			`timeout connect 5000ms`
			`timeout client 50000ms`
			`timeout server 50000ms`

			`userlist AuthUsers`
			`user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.`