global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ #ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS #ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl-default-server-options no-sslv3 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http #frontend ssh # bind :::2222 v4v6 # mode tcp # option tcplog # # default_backend ssh_general-use frontend http_cloud_metadata bind :::8775 v4v6 ssl crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem mode http option forwardfor http-request set-header X-Forwarded-Proto https if { ssl_fc } default_backend http_metadata.cloud.csclub.uwaterloo.ca frontend http bind :::80 v4v6 bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem crt /etc/ssl/private/csclub.cloud/csclub.cloud.pem mode http option forwardfor # Add proto http-request set-header X-Forwarded-Proto https if { ssl_fc } # # Determine host # # csclub webpage acl csclub.uwaterloo.ca hdr(host) -i csclub.uwaterloo.ca acl csclub.uwaterloo.ca hdr(host) -i www.csclub.uwaterloo.ca acl csclub.uwaterloo.ca hdr(host) -i www2.csclub.uwaterloo.ca # cloud.csclub acl cloud.csclub.uwaterloo.ca hdr(host) -i cloud.csclub.uwaterloo.ca acl console.cloud.csclub.uwaterloo.ca hdr(host) -i console.cloud.csclub.uwaterloo.ca acl auth.cloud.csclub.uwaterloo.ca hdr(host) -i auth.cloud.csclub.uwaterloo.ca acl admin.cloud.csclub.uwaterloo.ca hdr(host) -i admin.cloud.csclub.uwaterloo.ca acl compute.cloud.csclub.uwaterloo.ca hdr(host) -i compute.cloud.csclub.uwaterloo.ca acl dns.cloud.csclub.uwaterloo.ca hdr(host) -i dns.cloud.csclub.uwaterloo.ca acl metadata.cloud.csclub.uwaterloo.ca hdr(host) -i metadata.cloud.csclub.uwaterloo.ca acl network.cloud.csclub.uwaterloo.ca hdr(host) -i network.cloud.csclub.uwaterloo.ca acl image.cloud.csclub.uwaterloo.ca hdr(host) -i image.cloud.csclub.uwaterloo.ca acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.cloud.csclub.uwaterloo.ca acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.csclub.uwaterloo.ca acl volume.cloud.csclub.uwaterloo.ca hdr(host) -i volume.cloud.csclub.uwaterloo.ca # csclub.cloud acl csclub.cloud hdr(host) csclub.cloud acl csclub.cloud hdr(host) www.csclub.cloud # # csclub.cloud (users) # # iie acl iie_iise-wiki.csclub.cloud hdr(host) -i iise-wiki.csclub.cloud # ztseguin acl ztseguin.csclub.cloud hdr(host) -i ztseguin.csclub.cloud acl ztseguin-reddit.csclub.cloud hdr(host) -i ztseguin-reddit.csclub.cloud acl ztseguin-reddit.csclub.cloud hdr(host) -i reddit.csclub.cloud # Force SSL redirect scheme https if !{ ssl_fc } cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } admin.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } auth.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } console.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } compute.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } dns.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } metadata.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } network.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } image.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } object.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } volume.cloud.csclub.uwaterloo.ca redirect scheme https if !{ ssl_fc } csclub.cloud redirect scheme https if !{ ssl_fc } ztseguin.csclub.cloud redirect scheme https if !{ ssl_fc } iie_iise-wiki.csclub.cloud # Backend use_backend http_csclub.uwaterloo.ca if csclub.uwaterloo.ca use_backend http_cloud.csclub.uwaterloo.ca if cloud.csclub.uwaterloo.ca use_backend http_auth.cloud.csclub.uwaterloo.ca if auth.cloud.csclub.uwaterloo.ca use_backend http_admin.cloud.csclub.uwaterloo.ca if admin.cloud.csclub.uwaterloo.ca use_backend http_console.cloud.csclub.uwaterloo.ca if console.cloud.csclub.uwaterloo.ca use_backend http_compute.cloud.csclub.uwaterloo.ca if compute.cloud.csclub.uwaterloo.ca use_backend http_dns.cloud.csclub.uwaterloo.ca if dns.cloud.csclub.uwaterloo.ca use_backend http_metadata.cloud.csclub.uwaterloo.ca if metadata.cloud.csclub.uwaterloo.ca use_backend http_network.cloud.csclub.uwaterloo.ca if network.cloud.csclub.uwaterloo.ca use_backend http_image.cloud.csclub.uwaterloo.ca if image.cloud.csclub.uwaterloo.ca use_backend http_object.cloud.csclub.uwaterloo.ca if object.cloud.csclub.uwaterloo.ca use_backend http_volume.cloud.csclub.uwaterloo.ca if volume.cloud.csclub.uwaterloo.ca use_backend http_cloud.csclub.uwaterloo.ca if csclub.cloud use_backend http_ztseguin.csclub.cloud if ztseguin.csclub.cloud use_backend http_iie_iise-wiki.csclub.cloud if iie_iise-wiki.csclub.cloud frontend stats bind :::8443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem mode http no log stats enable stats uri / acl network_allowed src 10.0.0.0/8 acl network_allowed src 129.97.0.0/16 acl network_allowed src 172.16.0.0/12 acl network_allowed src 2620:101:f000::/47 acl network_allowed src fd74:6b6a:8eca::/47 tcp-request connection reject if !network_allowed # # BACKENDS # #backend ssh_general-use # balance roundrobin # mode tcp # server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22 # server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22 # server sucrose sucrose.csclub.uwaterloo.ca check port 22 backend http_csclub.uwaterloo.ca balance leastconn mode http cookie serverid insert indirect nocache server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00 server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01 backend http_cloud.csclub.uwaterloo.ca balance leastconn mode http cookie serverid insert indirect nocache #server web1.cloud web1.cloud.csclub.uwaterloo.ca:80 check cookie 01 server web1.cloud 172.19.134.5:80 check cookie 01 backend http_auth.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:5000 check backend http_admin.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:35357 check backend http_console.cloud.csclub.uwaterloo.ca balance leastconn mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:6080 check backend http_compute.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8774 check backend http_dns.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9001 check backend http_network.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9696 check backend http_metadata.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8775 check backend http_image.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9292 check backend http_object.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8080 check backend http_volume.cloud.csclub.uwaterloo.ca balance roundrobin mode http server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8776 check backend http_ztseguin.csclub.cloud balance roundrobin mode http server ztseguin1 csc-web.zacharyseguin.ca:80 check backend http_iie_iise-wiki.csclub.cloud balance roundrobin mode http server wiki wiki.iie.csclub.cloud:8090 check