87 lines
2.5 KiB
INI
87 lines
2.5 KiB
INI
resolvers mydns
|
|
nameserver dns1 127.0.0.11:53
|
|
|
|
global
|
|
daemon
|
|
log 127.0.0.1 local0
|
|
tune.ssl.default-dh-param 2048
|
|
h1-case-adjust content-type Content-Type
|
|
h1-case-adjust content-encoding Content-Encoding
|
|
h1-case-adjust transfer-encoding Transfer-Encoding
|
|
|
|
defaults
|
|
mode http
|
|
option http-server-close
|
|
option dontlognull
|
|
option redispatch
|
|
option contstats
|
|
retries 3
|
|
timeout connect 5s
|
|
timeout http-keep-alive 1s
|
|
# Slowloris protection
|
|
timeout http-request 15s
|
|
timeout queue 30s
|
|
timeout tarpit 1m # tarpit hold tim
|
|
backlog 10000
|
|
|
|
|
|
frontend tf_waf
|
|
mode http
|
|
bind :80
|
|
http-request redirect scheme https code 301 unless { ssl_fc }
|
|
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
|
|
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
|
|
bind :443 ssl crt /certs/chain.pem
|
|
|
|
|
|
# New line to test URI to see if its a letsencrypt request
|
|
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
|
|
use_backend letsencrypt if letsencrypt-acl
|
|
|
|
# Internal traffic
|
|
use_backend bk_web if { src 192.168.0.0/16 }
|
|
|
|
default_backend bk_waf
|
|
|
|
# Traffic secured by the WAF arrives here
|
|
frontend ft_web
|
|
bind :81 name http
|
|
mode http
|
|
log global
|
|
option httplog
|
|
timeout client 25s
|
|
maxconn 1000
|
|
default_backend bk_web
|
|
|
|
backend letsencrypt
|
|
server letsencrypt 127.0.0.1:8080
|
|
|
|
# WAF farm where users' traffic is routed first
|
|
backend bk_waf
|
|
mode http
|
|
server modsecurity dd-waf-apache:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
|
|
|
|
# application server farm
|
|
backend bk_web
|
|
mode http
|
|
server sso dd-sso-haproxy:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
|
|
|
|
listen stats
|
|
bind 0.0.0.0:9999
|
|
mode http
|
|
stats enable
|
|
option httplog
|
|
stats show-legends
|
|
stats uri /haproxy
|
|
stats realm Haproxy\ Statistics
|
|
stats refresh 5s
|
|
#stats auth staging:mypassword
|
|
#acl authorized http_auth(AuthUsers)
|
|
#stats http-request auth unless authorized
|
|
timeout connect 5000ms
|
|
timeout client 50000ms
|
|
timeout server 50000ms
|
|
|
|
userlist AuthUsers
|
|
user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.
|