global chroot /var/lib/haproxy group haproxy ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-ES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS tune.ssl.default-dh-param 2048 ssl-default-bind-options no-sslv3 no-tls-tickets ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSADSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS user haproxy stats socket /var/lib/haproxy/stats maxconn 10000 pidfile /var/run/haproxy.pid log 127.0.0.1 local0 defaults log global option redispatch timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout check 10s stats enable stats hide-version stats refresh 5s stats scope . stats show-legends retries 3 userlist htaccess group it users tlams # Please use SHA-512 password user htaccess password PxTqnm52um8Q6 listen http bind 0.0.0.0:80 mode http log-format %ci\ -\ [%T]\ %{+Q}r\ %ST\ %B\ %{+Q}hrl option httplog clf option forwardfor timeout http-request 1m timeout queue 1m timeout connect 20s timeout client 20s timeout server 1m capture request header Referer len 64 capture request header User-Agent len 512 capture request header Host len 128 reqadd X-Forwarded-Proto:\ https reqadd http_x_forwarded_proto:\ https maxconn 32768 redirect scheme https code 301 if !{ ssl_fc } listen https bind 0.0.0.0:443 ssl crt /opt/certbot/ mode http log-format %ci\ -\ [%T]\ %{+Q}r\ %ST\ %B\ %{+Q}hrl option httplog clf option forwardfor timeout http-request 1m timeout queue 1m timeout connect 20s timeout client 20s timeout server 1m capture request header Referer len 64 capture request header User-Agent len 512 capture request header Host len 128 http-response set-header X-Client-IP %[src] http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" http-response set-header X-XSS-Protection "1; mode=block" http-response set-header X-Content-Type-Options "nosniff" reqadd X-Forwarded-Proto:\ https reqadd http_x_forwarded_proto:\ https maxconn 32768 acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl default_backend lamp ### PUBLIC BACKEND backend lamp mode http server lamp 127.0.0.1:8080 check ### LETS ENCRYPT BACKEND backend letsencrypt-backend mode http http-request set-header Host letsencrypt.requests server letsencrypt 127.0.0.1:54321