HAProxy as an ingress proxy
parent
ef430a5ccf
commit
c4b180a7f0
@ -0,0 +1,70 @@
|
||||
{ config, pkgs, ...}: {
|
||||
services.haproxy.enable = true;
|
||||
|
||||
services.haproxy.config = ''
|
||||
global
|
||||
log 127.0.0.1 local0 info
|
||||
maxconn 2000
|
||||
|
||||
stats socket /run/haproxy/stats.sock mode 666 level user
|
||||
stats timeout 30s
|
||||
|
||||
# from https://ssl-config.mozilla.org
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
ssl-dh-param-file /etc/dhparam
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
option dontlognull
|
||||
retries 3
|
||||
option redispatch
|
||||
timeout connect 50000000
|
||||
timeout client 10000000
|
||||
timeout server 10000000
|
||||
option http-keep-alive
|
||||
balance roundrobin
|
||||
|
||||
frontend tls-in
|
||||
bind 104.168.211.198:443 interface ens3
|
||||
mode tcp
|
||||
|
||||
tcp-request inspect-delay 5s
|
||||
tcp-request content accept if { req.ssl_hello_type 1 }
|
||||
|
||||
acl sni_irc req.ssl_sni -i -m end .irc.tempest.dev
|
||||
use_backend calico if sni_irc
|
||||
|
||||
default_backend http-pass
|
||||
|
||||
backend calico
|
||||
mode tcp
|
||||
server calico 127.0.0.1:6697
|
||||
|
||||
backend http-pass
|
||||
mode tcp
|
||||
server local-http 127.0.0.1:443 send-proxy-v2
|
||||
'';
|
||||
|
||||
environment.etc = {
|
||||
dhparam = {
|
||||
text = ''
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
'';
|
||||
mode = "0400";
|
||||
user = "haproxy";
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue