resolvers mydns nameserver dns1 127.0.0.11:53 global daemon log 127.0.0.1 local0 tune.ssl.default-dh-param 2048 h1-case-adjust content-type Content-Type h1-case-adjust content-encoding Content-Encoding h1-case-adjust transfer-encoding Transfer-Encoding defaults mode http option http-server-close option dontlognull option redispatch option contstats retries 3 timeout connect 5s timeout http-keep-alive 1s # Slowloris protection timeout http-request 15s timeout queue 30s timeout tarpit 1m # tarpit hold tim backlog 10000 frontend tf_waf mode http bind :80 # redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc } http-request del-header ssl_client_cert unless { ssl_fc_has_crt } http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } bind :443 ssl crt /certs/chain.pem # New line to test URI to see if its a letsencrypt request acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt if letsencrypt-acl # Internal traffic use_backend bk_web if { src 192.168.0.0/16 } default_backend bk_waf # Traffic secured by the WAF arrives here frontend ft_web bind :81 name http mode http log global option httplog timeout client 25s maxconn 1000 default_backend bk_web backend letsencrypt server letsencrypt 127.0.0.1:8080 # WAF farm where users' traffic is routed first backend bk_waf mode http server modsecurity dd-waf-apache:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none # application server farm backend bk_web mode http server sso dd-sso-haproxy:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none listen stats bind 0.0.0.0:9999 mode http stats enable option httplog stats show-legends stats uri /haproxy stats realm Haproxy\ Statistics stats refresh 5s #stats auth staging:mypassword #acl authorized http_auth(AuthUsers) #stats http-request auth unless authorized timeout connect 5000ms timeout client 50000ms timeout server 50000ms userlist AuthUsers user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.