264 lines
10 KiB
INI
264 lines
10 KiB
INI
global
|
|
log /dev/log local0
|
|
log /dev/log local1 notice
|
|
chroot /var/lib/haproxy
|
|
stats socket /run/haproxy/admin.sock mode 660 level admin
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
# Default ciphers to use on SSL-enabled listening sockets.
|
|
# For more information, see ciphers(1SSL). This list is from:
|
|
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
|
#ssl-default-bind-options no-sslv3
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
|
ssl-default-bind-options no-sslv3 no-tls-tickets
|
|
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
|
ssl-default-server-options no-sslv3 no-tls-tickets
|
|
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
#frontend ssh
|
|
# bind :::2222 v4v6
|
|
# mode tcp
|
|
# option tcplog
|
|
#
|
|
# default_backend ssh_general-use
|
|
|
|
frontend http_cloud_metadata
|
|
bind :::8775 v4v6 ssl crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem
|
|
mode http
|
|
option forwardfor
|
|
|
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
|
|
|
default_backend http_metadata.cloud.csclub.uwaterloo.ca
|
|
|
|
frontend http
|
|
bind :::80 v4v6
|
|
bind :::443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem crt /etc/ssl/private/cloud.csclub.uwaterloo.ca/cloud.csclub.uwaterloo.ca.pem crt /etc/ssl/private/csclub.cloud/csclub.cloud.pem
|
|
mode http
|
|
option forwardfor
|
|
|
|
# Add proto
|
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
|
|
|
#
|
|
# Determine host
|
|
#
|
|
|
|
# csclub webpage
|
|
acl csclub.uwaterloo.ca hdr(host) -i csclub.uwaterloo.ca
|
|
acl csclub.uwaterloo.ca hdr(host) -i www.csclub.uwaterloo.ca
|
|
acl csclub.uwaterloo.ca hdr(host) -i www2.csclub.uwaterloo.ca
|
|
|
|
# cloud.csclub
|
|
acl cloud.csclub.uwaterloo.ca hdr(host) -i cloud.csclub.uwaterloo.ca
|
|
acl console.cloud.csclub.uwaterloo.ca hdr(host) -i console.cloud.csclub.uwaterloo.ca
|
|
acl auth.cloud.csclub.uwaterloo.ca hdr(host) -i auth.cloud.csclub.uwaterloo.ca
|
|
acl admin.cloud.csclub.uwaterloo.ca hdr(host) -i admin.cloud.csclub.uwaterloo.ca
|
|
acl compute.cloud.csclub.uwaterloo.ca hdr(host) -i compute.cloud.csclub.uwaterloo.ca
|
|
acl dns.cloud.csclub.uwaterloo.ca hdr(host) -i dns.cloud.csclub.uwaterloo.ca
|
|
acl metadata.cloud.csclub.uwaterloo.ca hdr(host) -i metadata.cloud.csclub.uwaterloo.ca
|
|
acl network.cloud.csclub.uwaterloo.ca hdr(host) -i network.cloud.csclub.uwaterloo.ca
|
|
acl image.cloud.csclub.uwaterloo.ca hdr(host) -i image.cloud.csclub.uwaterloo.ca
|
|
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.cloud.csclub.uwaterloo.ca
|
|
acl object.cloud.csclub.uwaterloo.ca hdr(host) -i object.csclub.uwaterloo.ca
|
|
acl volume.cloud.csclub.uwaterloo.ca hdr(host) -i volume.cloud.csclub.uwaterloo.ca
|
|
|
|
# csclub.cloud
|
|
acl csclub.cloud hdr(host) csclub.cloud
|
|
acl csclub.cloud hdr(host) www.csclub.cloud
|
|
|
|
#
|
|
# csclub.cloud (users)
|
|
#
|
|
|
|
# iie
|
|
acl iie_iise-wiki.csclub.cloud hdr(host) -i iise-wiki.csclub.cloud
|
|
|
|
# ztseguin
|
|
acl ztseguin.csclub.cloud hdr(host) -i ztseguin.csclub.cloud
|
|
acl ztseguin-reddit.csclub.cloud hdr(host) -i ztseguin-reddit.csclub.cloud
|
|
acl ztseguin-reddit.csclub.cloud hdr(host) -i reddit.csclub.cloud
|
|
|
|
# Force SSL
|
|
redirect scheme https if !{ ssl_fc } cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } admin.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } auth.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } console.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } compute.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } dns.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } metadata.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } network.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } image.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } object.cloud.csclub.uwaterloo.ca
|
|
redirect scheme https if !{ ssl_fc } volume.cloud.csclub.uwaterloo.ca
|
|
|
|
redirect scheme https if !{ ssl_fc } csclub.cloud
|
|
|
|
redirect scheme https if !{ ssl_fc } ztseguin.csclub.cloud
|
|
|
|
redirect scheme https if !{ ssl_fc } iie_iise-wiki.csclub.cloud
|
|
|
|
# Backend
|
|
use_backend http_csclub.uwaterloo.ca if csclub.uwaterloo.ca
|
|
|
|
use_backend http_cloud.csclub.uwaterloo.ca if cloud.csclub.uwaterloo.ca
|
|
use_backend http_auth.cloud.csclub.uwaterloo.ca if auth.cloud.csclub.uwaterloo.ca
|
|
use_backend http_admin.cloud.csclub.uwaterloo.ca if admin.cloud.csclub.uwaterloo.ca
|
|
use_backend http_console.cloud.csclub.uwaterloo.ca if console.cloud.csclub.uwaterloo.ca
|
|
use_backend http_compute.cloud.csclub.uwaterloo.ca if compute.cloud.csclub.uwaterloo.ca
|
|
use_backend http_dns.cloud.csclub.uwaterloo.ca if dns.cloud.csclub.uwaterloo.ca
|
|
use_backend http_metadata.cloud.csclub.uwaterloo.ca if metadata.cloud.csclub.uwaterloo.ca
|
|
use_backend http_network.cloud.csclub.uwaterloo.ca if network.cloud.csclub.uwaterloo.ca
|
|
use_backend http_image.cloud.csclub.uwaterloo.ca if image.cloud.csclub.uwaterloo.ca
|
|
use_backend http_object.cloud.csclub.uwaterloo.ca if object.cloud.csclub.uwaterloo.ca
|
|
use_backend http_volume.cloud.csclub.uwaterloo.ca if volume.cloud.csclub.uwaterloo.ca
|
|
|
|
use_backend http_cloud.csclub.uwaterloo.ca if csclub.cloud
|
|
|
|
use_backend http_ztseguin.csclub.cloud if ztseguin.csclub.cloud
|
|
|
|
use_backend http_iie_iise-wiki.csclub.cloud if iie_iise-wiki.csclub.cloud
|
|
|
|
frontend stats
|
|
bind :::8443 v4v6 ssl crt /etc/ssl/private/csclub.uwaterloo.ca/csclub.uwaterloo.ca.pem
|
|
mode http
|
|
no log
|
|
|
|
stats enable
|
|
stats uri /
|
|
|
|
acl network_allowed src 10.0.0.0/8
|
|
acl network_allowed src 129.97.0.0/16
|
|
acl network_allowed src 172.16.0.0/12
|
|
acl network_allowed src 2620:101:f000::/47
|
|
acl network_allowed src fd74:6b6a:8eca::/47
|
|
|
|
tcp-request connection reject if !network_allowed
|
|
|
|
#
|
|
# BACKENDS
|
|
#
|
|
#backend ssh_general-use
|
|
# balance roundrobin
|
|
# mode tcp
|
|
|
|
# server corn-syrup corn-syrup.csclub.uwaterloo.ca check port 22
|
|
# server high-fructose-corn-syrup high-fructose-corn-syrup.csclub.uwaterloo.ca check port 22
|
|
# server sucrose sucrose.csclub.uwaterloo.ca check port 22
|
|
|
|
backend http_csclub.uwaterloo.ca
|
|
balance leastconn
|
|
mode http
|
|
|
|
cookie serverid insert indirect nocache
|
|
|
|
server caffeine-00 caffeine-00.csclub.uwaterloo.ca:80 check cookie 00
|
|
server caffeine-01 caffeine-01.csclub.uwaterloo.ca:80 check cookie 01
|
|
|
|
backend http_cloud.csclub.uwaterloo.ca
|
|
balance leastconn
|
|
mode http
|
|
|
|
cookie serverid insert indirect nocache
|
|
|
|
#server web1.cloud web1.cloud.csclub.uwaterloo.ca:80 check cookie 01
|
|
server web1.cloud 172.19.134.5:80 check cookie 01
|
|
|
|
backend http_auth.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:5000 check
|
|
|
|
backend http_admin.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:35357 check
|
|
|
|
backend http_console.cloud.csclub.uwaterloo.ca
|
|
balance leastconn
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:6080 check
|
|
|
|
backend http_compute.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8774 check
|
|
|
|
backend http_dns.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9001 check
|
|
|
|
backend http_network.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9696 check
|
|
|
|
backend http_metadata.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8775 check
|
|
|
|
backend http_image.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:9292 check
|
|
|
|
backend http_object.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8080 check
|
|
|
|
backend http_volume.cloud.csclub.uwaterloo.ca
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server controller1.cloud controller1.cloud.csclub.uwaterloo.ca:8776 check
|
|
|
|
backend http_ztseguin.csclub.cloud
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server ztseguin1 csc-web.zacharyseguin.ca:80 check
|
|
|
|
backend http_iie_iise-wiki.csclub.cloud
|
|
balance roundrobin
|
|
mode http
|
|
|
|
server wiki wiki.iie.csclub.cloud:8090 check
|