25 lines
912 B
Plaintext
25 lines
912 B
Plaintext
#
|
|
# BEGIN: bind-direct.cnf
|
|
#
|
|
bind :80
|
|
http-request redirect scheme https code 301 unless { ssl_fc }
|
|
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
|
|
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
|
|
bind :443 ssl crt /certs/chain.pem
|
|
|
|
# This comes from the internet, do not trust the forwarding headers
|
|
http-request del-header X-Forwarded-For
|
|
http-request del-header X-Forwarded-Proto
|
|
# But add our forwarding headers instead
|
|
option forwardfor
|
|
# We are always doing TLS, except for redirections
|
|
http-request set-header X-SSL %[ssl_fc]
|
|
http-request set-header X-Forwarded-Proto https
|
|
|
|
# New line to test URI to see if its a letsencrypt request
|
|
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
|
|
use_backend letsencrypt if letsencrypt-acl
|
|
#
|
|
# END: bind-direct.cnf
|
|
#
|