Skip to content

Instantly share code, notes, and snippets.

@efenfauzi

efenfauzi/haproxy.cfg

Last active February 15, 2024 13:37
Show Gist options
  • Save efenfauzi/0f09c4181f707ea7399c1dc719aa588b to your computer and use it in GitHub Desktop.
Save efenfauzi/0f09c4181f707ea7399c1dc719aa588b to your computer and use it in GitHub Desktop.
Download ZIP
Haproxy config in front of letsencrypt traefik docker
Raw
haproxy.cfg
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM
tune.ssl.default-dh-param 2048
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
#option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend http_services
mode http
bind *:80
#bind *:443 ssl list crt /etc/haproxy/.ssl/ssl-list.txt
http-request redirect scheme https unless { ssl_fc }
default_backend http_services
frontend https_services
mode tcp
bind *:443
default_backend https_services
option tcplog
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
#backend static
# balance roundrobin
# server static 127.0.0.1:4331 check
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend http_services
balance roundrobin
mode http
server node1 192.168.1.14:80
server node2 192.168.1.11:80
server node3 192.168.1.10:80
server node4 192.168.1.22:80
backend https_services
mode tcp
balance source
option ssl-hello-chk
server node1 192.168.1.14:443 check
server node2 192.168.1.11:443 check
server node3 192.168.1.10:443 check
server node4 192.168.1.22:443 check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment