ansible-playbooks/roles/load-balancer/files/haproxy.cfg

264 lines
10 KiB
INI

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
#ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#frontend ssh
# bind :::2222 v4v6
# mode tcp
# option tcplog
#
# default_backend ssh_general-use
frontend http_cloud_metadata
bind :::8775 v4v6 ssl crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_metadata.cloud.csclub.uwaterloo.ca
frontend http
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem crt /etc/ssl/private/csclub.cloud/csclub.cloud.pem
mode http
option forwardfor
# Add proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
#
# Determine host
#
# csclub webpage
acl csclub.uwaterloo.ca hdr(host) -i csclub.uwaterloo.ca
acl csclub.uwaterloo.ca hdr(host) -i www.csclub.uwaterloo.ca
acl csclub.uwaterloo.ca hdr(host) -i www2.csclub.uwaterloo.ca
# cloud.csclub
acl cloud.csclub.uwaterloo.ca hdr(host) -i cloud.csclub.uwaterloo.ca
acl console.cloud.csclub.uwaterloo.ca hdr(host) -i console.cloud.csclub.uwaterloo.ca
acl auth.cloud.csclub.uwaterloo.ca hdr(host) -i auth.cloud.csclub.uwaterloo.ca
acl admin.cloud.csclub.uwaterloo.ca hdr(host) -i admin.cloud.csclub.uwaterloo.ca
acl compute.cloud.csclub.uwaterloo.ca hdr(host) -i compute.cloud.csclub.uwaterloo.ca
acl dns.cloud.csclub.uwaterloo.ca hdr(host) -i dns.cloud.csclub.uwaterloo.ca
acl metadata.cloud.csclub.uwaterloo.ca hdr(host) -i metadata.cloud.csclub.uwaterloo.ca
acl network.cloud.csclub.uwaterloo.ca hdr(host) -i network.cloud.csclub.uwaterloo.ca
acl image.cloud.csclub.uwaterloo.ca hdr(host) -i image.cloud.csclub.uwaterloo.ca
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.cloud.csclub.uwaterloo.ca
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.csclub.uwaterloo.ca
acl volume.cloud.csclub.uwaterloo.ca hdr(host) -i volume.cloud.csclub.uwaterloo.ca
# csclub.cloud
acl csclub.cloud hdr(host) csclub.cloud
acl csclub.cloud hdr(host) www.csclub.cloud
#
# csclub.cloud (users)
#
# iie
acl iie_iise-wiki.csclub.cloud hdr(host) -i iise-wiki.csclub.cloud
# ztseguin
acl ztseguin.csclub.cloud hdr(host) -i ztseguin.csclub.cloud
acl ztseguin-reddit.csclub.cloud hdr(host) -i ztseguin-reddit.csclub.cloud
acl ztseguin-reddit.csclub.cloud hdr(host) -i reddit.csclub.cloud
# Force SSL
redirect scheme https if !{ ssl_fc } cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } admin.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } auth.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } console.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } compute.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } dns.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } metadata.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } network.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } image.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } object.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } volume.cloud.csclub.uwaterloo.ca
redirect scheme https if !{ ssl_fc } csclub.cloud
redirect scheme https if !{ ssl_fc } ztseguin.csclub.cloud
redirect scheme https if !{ ssl_fc } iie_iise-wiki.csclub.cloud
# Backend
use_backend http_csclub.uwaterloo.ca if csclub.uwaterloo.ca
use_backend http_cloud.csclub.uwaterloo.ca if cloud.csclub.uwaterloo.ca
use_backend http_auth.cloud.csclub.uwaterloo.ca if auth.cloud.csclub.uwaterloo.ca
use_backend http_admin.cloud.csclub.uwaterloo.ca if admin.cloud.csclub.uwaterloo.ca
use_backend http_console.cloud.csclub.uwaterloo.ca if console.cloud.csclub.uwaterloo.ca
use_backend http_compute.cloud.csclub.uwaterloo.ca if compute.cloud.csclub.uwaterloo.ca
use_backend http_dns.cloud.csclub.uwaterloo.ca if dns.cloud.csclub.uwaterloo.ca
use_backend http_metadata.cloud.csclub.uwaterloo.ca if metadata.cloud.csclub.uwaterloo.ca
use_backend http_network.cloud.csclub.uwaterloo.ca if network.cloud.csclub.uwaterloo.ca
use_backend http_image.cloud.csclub.uwaterloo.ca if image.cloud.csclub.uwaterloo.ca
use_backend http_object.cloud.csclub.uwaterloo.ca if object.cloud.csclub.uwaterloo.ca
use_backend http_volume.cloud.csclub.uwaterloo.ca if volume.cloud.csclub.uwaterloo.ca
use_backend http_cloud.csclub.uwaterloo.ca if csclub.cloud
use_backend http_ztseguin.csclub.cloud if ztseguin.csclub.cloud
use_backend http_iie_iise-wiki.csclub.cloud if iie_iise-wiki.csclub.cloud
frontend stats
bind :::8443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
mode http
no log
stats enable
stats uri /
acl network_allowed src 10.0.0.0/8
acl network_allowed src 129.97.0.0/16
acl network_allowed src 172.16.0.0/12
acl network_allowed src 2620:101:f000::/47
acl network_allowed src fd74:6b6a:8eca::/47
tcp-request connection reject if !network_allowed
#
# BACKENDS
#
#backend ssh_general-use
# balance roundrobin
# mode tcp
# server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
# server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
# server sucrose sucrose.csclub.uwaterloo.ca check port 22
backend http_csclub.uwaterloo.ca
balance leastconn
mode http
cookie serverid insert indirect nocache
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
backend http_cloud.csclub.uwaterloo.ca
balance leastconn
mode http
cookie serverid insert indirect nocache
#server web1.cloud web1.cloud.csclub.uwaterloo.ca:80 check cookie 01
server web1.cloud 172.19.134.5:80 check cookie 01
backend http_auth.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:5000 check
backend http_admin.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:35357 check
backend http_console.cloud.csclub.uwaterloo.ca
balance leastconn
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:6080 check
backend http_compute.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8774 check
backend http_dns.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9001 check
backend http_network.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9696 check
backend http_metadata.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8775 check
backend http_image.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9292 check
backend http_object.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8080 check
backend http_volume.cloud.csclub.uwaterloo.ca
balance roundrobin
mode http
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8776 check
backend http_ztseguin.csclub.cloud
balance roundrobin
mode http
server ztseguin1 csc-web.zacharyseguin.ca:80 check
backend http_iie_iise-wiki.csclub.cloud
balance roundrobin
mode http
server wiki wiki.iie.csclub.cloud:8090 check