|
|
@@ -0,0 +1,132 @@ |
|
|
global |
|
|
# maxconn 4096 |
|
|
user haproxy |
|
|
group haproxy |
|
|
daemon |
|
|
ca-base /etc/ssl |
|
|
crt-base /etc/ssl |
|
|
stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin |
|
|
stats timeout 2m |
|
|
|
|
|
defaults |
|
|
# maxconn 4096 |
|
|
# Add x-forwarded-for header. |
|
|
timeout connect 5s |
|
|
timeout client 30s |
|
|
timeout server 30s |
|
|
# Long timeout for WebSocket connections. |
|
|
timeout tunnel 1h |
|
|
|
|
|
frontend public |
|
|
bind :80 |
|
|
mode http |
|
|
tcp-request inspect-delay 5s |
|
|
tcp-request content accept if HTTP |
|
|
|
|
|
use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE |
|
|
default_backend openshift_default |
|
|
|
|
|
# public ssl accepts all connections and isn't checking certificates yet certificates to use will be |
|
|
# determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend |
|
|
# that terminates encryption in this router (edge) |
|
|
frontend public_ssl |
|
|
bind :443 |
|
|
tcp-request inspect-delay 5s |
|
|
tcp-request content accept if { req_ssl_hello_type 1 } |
|
|
|
|
|
# if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend |
|
|
acl sni req.ssl_sni -m found |
|
|
acl sni_passthrough req.ssl_sni,map(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found |
|
|
use_backend be_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough |
|
|
|
|
|
# if the route is SNI and NOT passthrough enter the termination flow |
|
|
use_backend be_sni if { req.ssl_sni -m found } |
|
|
|
|
|
# non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it |
|
|
# will not be able to match a cert to an SNI host |
|
|
default_backend be_no_sni |
|
|
|
|
|
########################################################################## |
|
|
# TLS SNI |
|
|
# |
|
|
# When using SNI we can terminate encryption with custom certificates. |
|
|
# Certs will be stored in a directory and will be matched with the SNI host header |
|
|
# which must exist in the CN of the certificate. Certificates must be concatenated |
|
|
# as a single file (handled by the plugin writer) per the haproxy documentation. |
|
|
# |
|
|
# Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted |
|
|
# traffic |
|
|
########################################################################## |
|
|
backend be_sni |
|
|
server fe_sni 127.0.0.1:10444 weight 1 send-proxy |
|
|
|
|
|
frontend fe_sni |
|
|
# terminate ssl on edge |
|
|
bind 127.0.0.1:10444 ssl crt /var/lib/containers/router/certs accept-proxy |
|
|
mode http |
|
|
|
|
|
# re-ssl? |
|
|
acl reencrypt hdr(host),map(/var/lib/haproxy/conf/os_reencrypt.map) -m found |
|
|
use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/os_tcp_be.map)] if reencrypt |
|
|
|
|
|
# regular http |
|
|
use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE |
|
|
|
|
|
default_backend openshift_default |
|
|
|
|
|
########################################################################## |
|
|
# END TLS SNI |
|
|
########################################################################## |
|
|
|
|
|
########################################################################## |
|
|
# TLS NO SNI |
|
|
# |
|
|
# When we don't have SNI the only thing we can try to do is terminate the encryption |
|
|
# using our wild card certificate. Once that is complete we can either re-encrypt |
|
|
# the traffic or pass it on to the backends |
|
|
########################################################################## |
|
|
# backend for when sni does not exist, or ssl term needs to happen on the edge |
|
|
backend be_no_sni |
|
|
server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy |
|
|
|
|
|
frontend fe_no_sni |
|
|
# terminate ssl on edge |
|
|
bind 127.0.0.1:10443 ssl crt /var/lib/haproxy/conf/default_pub_keys.pem accept-proxy |
|
|
|
|
|
# re-ssl? |
|
|
acl reencrypt hdr(host),map(/var/lib/haproxy/conf/os_reencrypt.map) -m found |
|
|
use_backend be_secure_%[hdr(host),map(/var/lib/haproxy/conf/os_tcp_be.map)] if reencrypt |
|
|
|
|
|
# regular http |
|
|
use_backend be_http_%[hdr(host),map(/var/lib/haproxy/conf/os_http_be.map)] if TRUE |
|
|
|
|
|
default_backend openshift_default |
|
|
|
|
|
########################################################################## |
|
|
# END TLS NO SNI |
|
|
########################################################################## |
|
|
|
|
|
backend openshift_default |
|
|
mode http |
|
|
option forwardfor |
|
|
#option http-keep-alive |
|
|
option http-pretend-keepalive |
|
|
server openshift_backend 127.0.0.1:8080 |
|
|
|
|
|
##-------------- app level unencrypted backends ---------------- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
backend be_secure_hello-ws-secure |
|
|
balance leastconn |
|
|
timeout check 5000ms |
|
|
|
|
|
server hello-ws-secure 172.17.0.13:9443 ssl verify none |
|
|
|
|
|
|
|
|
|
Paul created this gist
Paul
created
this gist