aebian · May 25, 2021 18:03
diff --git a/haproxy-sample.conf b/haproxy-sample.conf
 listen www-https
  bind 10.0.0.120:443 ssl crt /path/to/the/fullchain.pem ciphers ECDHE-RSA-AES256-SHA:-RC4-SHA:HIGH:!MD5:!aNULL:!EDH #SSL offloading
  mode tcp
  option tcplog
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  
  default_backend gw-web-ssl
  
  
  
  backend gw-web-ssl
  mode tcp
  server ssl-lb 127.0.0.1:444 send-proxy-v2 check maxconn 20 ssl ca-file /path/to/the/fullchain.cer verify none check
diff --git a/nginx-vhost-sample.conf b/nginx-vhost-sample.conf
 set_real_ip_from 10.0.0.120;
 set_real_ip_from 10.0.0.121;

 real_ip_header proxy_protocol;
 real_ip_recursive on;

 map $http_upgrade $connection_upgrade
 {

    default upgrade;
    ''      close;
 }


 upstream yourapp-default { server 10.0.0.8:80; }
 server
 {

    listen 444 ssl http2 proxy_protocol;

    include includes/certs/cert-wildcard-example.com.conf; # Certificate Locations and HSTS Settings, use your own :)
    include includes/certs/ssl-base.conf; # Basic Cypher Settings, use your own :)

    client_max_body_size 128M;

    server_name yourapp.example.com;
    location /
    {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://yourapp-default;

    }

    location /admin
    {
        allow 10.0.0.14;
        deny all;
        proxy_pass http://yourapp-default;
    }

    location ~ /\.ht
    {
        deny all;
    }
 }
	listen www-https
	bind 10.0.0.120:443 ssl crt /path/to/the/fullchain.pem ciphers ECDHE-RSA-AES256-SHA:-RC4-SHA:HIGH:!MD5:!aNULL:!EDH #SSL offloading
	mode tcp
	option tcplog
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	default_backend gw-web-ssl



	backend gw-web-ssl
	mode tcp
	server ssl-lb 127.0.0.1:444 send-proxy-v2 check maxconn 20 ssl ca-file /path/to/the/fullchain.cer verify none check
	set_real_ip_from 10.0.0.120;
	set_real_ip_from 10.0.0.121;

	real_ip_header proxy_protocol;
	real_ip_recursive on;

	map $http_upgrade $connection_upgrade
	{

	default upgrade;
	'' close;
	}


	upstream yourapp-default { server 10.0.0.8:80; }
	server
	{

	listen 444 ssl http2 proxy_protocol;

	include includes/certs/cert-wildcard-example.com.conf; # Certificate Locations and HSTS Settings, use your own :)
	include includes/certs/ssl-base.conf; # Basic Cypher Settings, use your own :)

	client_max_body_size 128M;

	server_name yourapp.example.com;
	location /
	{
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;

	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	proxy_pass http://yourapp-default;

	}

	location /admin
	{
	allow 10.0.0.14;
	deny all;
	proxy_pass http://yourapp-default;
	}

	location ~ /\.ht
	{
	deny all;
	}
	}