first commit

system/BASE_SOFT/HAPROXY/1.7.5/haproxy.cfg

@@ -0,0 +1,96 @@
+global
+        chroot  /var/lib/haproxy
+            group  haproxy
+            ssl-default-bind-ciphers  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-ES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+            tune.ssl.default-dh-param  2048
+            ssl-default-bind-options  no-sslv3 no-tls-tickets
+            ca-base  /etc/ssl/certs
+            crt-base  /etc/ssl/private
+            ssl-default-server-ciphers  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSADSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+            user  haproxy
+            stats  socket /var/lib/haproxy/stats
+            maxconn  10000
+            pidfile  /var/run/haproxy.pid
+            log  127.0.0.1 local0
+
+defaults
+  log global
+  option redispatch
+  timeout http-request  10s
+  timeout queue         1m
+  timeout connect       10s
+  timeout client        1m
+  timeout server        1m
+  timeout check         10s
+  stats enable
+  stats hide-version
+  stats refresh 5s
+  stats scope   .
+  stats show-legends
+  retries 3
+
+userlist htaccess
+  group it users tlams
+  # Please use SHA-512 password
+  user htaccess password PxTqnm52um8Q6
+
+listen http
+  bind 0.0.0.0:80
+  mode http
+  log-format %ci\ -\ [%T]\ %{+Q}r\ %ST\ %B\ %{+Q}hrl
+  option httplog clf
+  option forwardfor
+  timeout http-request  1m
+  timeout queue         1m
+  timeout connect       20s
+  timeout client        20s
+  timeout server        1m
+  capture request header Referer          len 64
+  capture request header User-Agent       len 512
+  capture request header Host             len 128
+  reqadd X-Forwarded-Proto:\ https
+  reqadd http_x_forwarded_proto:\ https
+  maxconn 32768
+  redirect scheme https code 301 if !{ ssl_fc }
+
+
+listen https
+  bind 0.0.0.0:443 ssl crt /opt/certbot/
+  mode http
+  log-format %ci\ -\ [%T]\ %{+Q}r\ %ST\ %B\ %{+Q}hrl
+  option httplog clf
+  option forwardfor
+  timeout http-request  1m
+  timeout queue         1m
+  timeout connect       20s
+  timeout client        20s
+  timeout server        1m
+  capture request header Referer          len 64
+  capture request header User-Agent       len 512
+  capture request header Host             len 128
+  http-response set-header X-Client-IP %[src]
+  http-response set-header X-Frame-Options "SAMEORIGIN"
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  http-response set-header X-XSS-Protection "1; mode=block"
+  http-response set-header X-Content-Type-Options "nosniff"
+  reqadd X-Forwarded-Proto:\ https
+  reqadd http_x_forwarded_proto:\ https
+  maxconn 32768
+
+  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+  use_backend letsencrypt-backend if letsencrypt-acl
+
+  default_backend lamp
+
+
+### PUBLIC BACKEND
+backend lamp
+  mode http
+  server lamp 127.0.0.1:8080 check
+
+
+### LETS ENCRYPT BACKEND
+backend letsencrypt-backend
+  mode http
+  http-request set-header Host letsencrypt.requests
+  server letsencrypt 127.0.0.1:54321