forked from openremote/proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
haproxy.cfg
94 lines (78 loc) · 4.16 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#
# Serve ACME certificate validation challenges and act as an
# SSL reverse-proxy for an arbitrary backend service.
#
global
log 127.0.0.1:514 local0 "${PROXY_LOGLEVEL}"
# Used for serving certificate validation challenges
chroot "${LE_WEB_ROOT}"
lua-load /etc/haproxy/acme-http01-webroot.lua
# Default SSL material locations, managed by certbot
crt-base "${LE_CERT_ROOT}"
maxconn 1024
ssl-default-bind-ciphers AES256+EECDH:AES256+EDH:!aNULL;
tune.ssl.default-dh-param 4096
defaults
log global
mode http
option httplog
timeout connect 30s
timeout client 60s
timeout server 60s
timeout tunnel 720m
# never fail on address resolution
default-server init-addr none
resolvers docker_resolver
nameserver dns 127.0.0.11:53
frontend http
bind *:80
# Serve certificate validation challenges directly with Lua plugin
acl url_acme_http01 path_beg /.well-known/acme-challenge/
http-request use-service lua.acme-http01 if METH_GET url_acme_http01
# Optional: redirects for root requests with certain host names to service paths
acl is_root path -i /
acl is_redirect_1 hdr(host) -i "${PROXY_HOST_REDIRECT_1_NAME}"
acl is_redirect_2 hdr(host) -i "${PROXY_HOST_REDIRECT_2_NAME}"
acl is_redirect_3 hdr(host) -i "${PROXY_HOST_REDIRECT_3_NAME}"
acl is_redirect_4 hdr(host) -i "${PROXY_HOST_REDIRECT_4_NAME}"
acl is_redirect_5 hdr(host) -i "${PROXY_HOST_REDIRECT_5_NAME}"
acl is_redirect_6 hdr(host) -i "${PROXY_HOST_REDIRECT_6_NAME}"
acl is_redirect_7 hdr(host) -i "${PROXY_HOST_REDIRECT_7_NAME}"
acl is_redirect_8 hdr(host) -i "${PROXY_HOST_REDIRECT_8_NAME}"
acl is_redirect_9 hdr(host) -i "${PROXY_HOST_REDIRECT_9_NAME}"
acl is_redirect_10 hdr(host) -i "${PROXY_HOST_REDIRECT_10_NAME}"
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_1_TARGET}" if is_root is_redirect_1
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_2_TARGET}" if is_root is_redirect_2
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_3_TARGET}" if is_root is_redirect_3
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_4_TARGET}" if is_root is_redirect_4
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_5_TARGET}" if is_root is_redirect_5
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_6_TARGET}" if is_root is_redirect_6
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_7_TARGET}" if is_root is_redirect_7
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_8_TARGET}" if is_root is_redirect_8
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_9_TARGET}" if is_root is_redirect_9
redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_10_TARGET}" if is_root is_redirect_10
# Redirect all http requests to https
redirect scheme https if !url_acme_http01
frontend https
bind :443 ssl crt "${CERT_FILE}" no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
http-request add-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request add-header X-Forwarded-Port %fp
http-request add-header Strict-Transport-Security max-age=15768000
acl auth url_beg /auth
use_backend keycloak_backend if auth
use_backend manager_backend
listen mqtt
bind *:8883 ssl crt "${CERT_FILE}" no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
mode tcp
#Use this to avoid the connection loss when client subscribed for a topic and its idle for sometime
option clitcpka # For TCP keep-alive
timeout client 3h #By default TCP keep-alive interval is 2hours in OS kernal, 'cat /proc/sys/net/ipv4/tcp_keepalive_time'
timeout server 3h #By default TCP keep-alive interval is 2hours in OS kernal
option tcplog
balance leastconn
server proxy_backend_host "${MANAGER_HOST}":"${MANAGER_MQTT_PORT}"
backend manager_backend
server proxy_backend_host "${MANAGER_HOST}":"${MANAGER_WEB_PORT}" resolvers docker_resolver
backend keycloak_backend
server proxy_backend_host "${KEYCLOAK_HOST}":"${KEYCLOAK_PORT}" resolvers docker_resolver