You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
71 lines
2.6 KiB
Nix
71 lines
2.6 KiB
Nix
10 months ago
|
{ config, pkgs, ...}: {
|
||
|
services.haproxy.enable = true;
|
||
|
|
||
|
services.haproxy.config = ''
|
||
|
global
|
||
|
log 127.0.0.1 local0 info
|
||
|
maxconn 2000
|
||
|
|
||
|
stats socket /run/haproxy/stats.sock mode 666 level user
|
||
|
stats timeout 30s
|
||
|
|
||
|
# from https://ssl-config.mozilla.org
|
||
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||
|
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||
|
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||
|
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||
|
ssl-dh-param-file /etc/dhparam
|
||
|
|
||
|
defaults
|
||
|
log global
|
||
|
mode http
|
||
|
option dontlognull
|
||
|
retries 3
|
||
|
option redispatch
|
||
|
timeout connect 50000000
|
||
|
timeout client 10000000
|
||
|
timeout server 10000000
|
||
|
option http-keep-alive
|
||
|
balance roundrobin
|
||
|
|
||
|
frontend tls-in
|
||
|
bind 104.168.211.198:443 interface ens3
|
||
|
mode tcp
|
||
|
|
||
|
tcp-request inspect-delay 5s
|
||
|
tcp-request content accept if { req.ssl_hello_type 1 }
|
||
|
|
||
|
acl sni_irc req.ssl_sni -i -m end .irc.tempest.dev
|
||
|
use_backend calico if sni_irc
|
||
|
|
||
|
default_backend http-pass
|
||
|
|
||
|
backend calico
|
||
|
mode tcp
|
||
|
server calico 127.0.0.1:6697
|
||
|
|
||
|
backend http-pass
|
||
|
mode tcp
|
||
|
server local-http 127.0.0.1:443 send-proxy-v2
|
||
|
'';
|
||
|
|
||
|
environment.etc = {
|
||
|
dhparam = {
|
||
|
text = ''
|
||
|
-----BEGIN DH PARAMETERS-----
|
||
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||
|
-----END DH PARAMETERS-----
|
||
|
'';
|
||
|
mode = "0400";
|
||
|
user = "haproxy";
|
||
|
};
|
||
|
};
|
||
|
}
|