digitaldemocratic/dd-waf/docker/haproxy/haproxy.cfg

87 lines
2.5 KiB
INI

resolvers mydns
nameserver dns1 127.0.0.11:53
global
daemon
log 127.0.0.1 local0
tune.ssl.default-dh-param 2048
h1-case-adjust content-type Content-Type
h1-case-adjust content-encoding Content-Encoding
h1-case-adjust transfer-encoding Transfer-Encoding
defaults
mode http
option http-server-close
option dontlognull
option redispatch
option contstats
retries 3
timeout connect 5s
timeout http-keep-alive 1s
# Slowloris protection
timeout http-request 15s
timeout queue 30s
timeout tarpit 1m # tarpit hold tim
backlog 10000
frontend tf_waf
mode http
bind :80
http-request redirect scheme https code 301 unless { ssl_fc }
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
bind :443 ssl crt /certs/chain.pem
# New line to test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt if letsencrypt-acl
# Internal traffic
use_backend bk_web if { src 192.168.0.0/16 }
default_backend bk_waf
# Traffic secured by the WAF arrives here
frontend ft_web
bind :81 name http
mode http
log global
option httplog
timeout client 25s
maxconn 1000
default_backend bk_web
backend letsencrypt
server letsencrypt 127.0.0.1:8080
# WAF farm where users' traffic is routed first
backend bk_waf
mode http
server modsecurity dd-waf-apache:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
# application server farm
backend bk_web
mode http
server sso dd-sso-haproxy:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
listen stats
bind 0.0.0.0:9999
mode http
stats enable
option httplog
stats show-legends
stats uri /haproxy
stats realm Haproxy\ Statistics
stats refresh 5s
#stats auth staging:mypassword
#acl authorized http_auth(AuthUsers)
#stats http-request auth unless authorized
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
userlist AuthUsers
user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.