Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Lelux.fi
Wiki
Commits
914e4c45
Verified
Commit
914e4c45
authored
Apr 22, 2019
by
Elias Ojala
Browse files
Haproxy configuration
parent
eb4f04a0
Changes
1
Hide whitespace changes
Inline
Side-by-side
haproxy.md
View file @
914e4c45
...
...
@@ -5,7 +5,43 @@ permalink: /haproxy/
## Base configuration
Coming soon
```
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0g&hsts=yes&profile=modern
# If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
# set default parameters to the intermediate configuration
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
```
## Let's Encrypt
...
...
@@ -93,33 +129,32 @@ It should return your DNS resolver's outgoing IP address as result.
Example result:
```
console
$
kdig
-d
@
1.1.1.1
+tls-ca +tls-host
=
cloudflare-dns.com
whoami.v4.powerdns.org
;
;
DEBUG: Querying
for
owner
(
whoami.v4.powerdns.org.
)
, class
(
1
)
,
type
(
1
)
, server
(
1.1.1.1
)
, port
(
853
)
, protocol
(
TCP
)
$
kdig
-d
@
resolver1.lelux.fi
+tls-ca +tls-host
=
resolver1.lelux.fi
whoami.v4.powerdns.org
;
;
DEBUG: Querying
for
owner
(
whoami.v4.powerdns.org.
)
, class
(
1
)
,
type
(
1
)
, server
(
resolver1.lelux.fi
)
, port
(
853
)
, protocol
(
TCP
)
;
;
DEBUG: TLS, imported 128 system certificates
;
;
DEBUG: TLS, received certificate hierarchy:
;
;
DEBUG:
#1, C
=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;
;
DEBUG: SHA-256 PIN:
V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU
=
;
;
DEBUG:
#2, C=US,O=
DigiCert Inc,CN=DigiCert ECC Secure Server CA
;
;
DEBUG: SHA-256 PIN:
PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw
=
;
;
DEBUG:
#1, C
N=resolver1.lelux.fi
;
;
DEBUG: SHA-256 PIN:
2aPeuRroX59Lr5V6Zdd/rM9aok+aB3vL93HgApKT0Kc
=
;
;
DEBUG:
#2, C=US,O=
Let's Encrypt,CN=Let's Encrypt Authority X3
;
;
DEBUG: SHA-256 PIN:
YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg
=
;
;
DEBUG: TLS, skipping certificate PIN check
;
;
DEBUG: TLS, The certificate is trusted.
;
;
TLS session
(
TLS1.
3
)
-
(
ECDHE-SECP256R1
)
-
(
ECD
SA-S
ECP256R1-SHA256
)
-
(
AES-256-GCM
)
;
;
->>HEADER
<<-
opcode
: QUERY; status: NOERROR; id:
64512
;
;
TLS session
(
TLS1.
2
)
-
(
ECDHE-SECP256R1
)
-
(
R
SA-S
HA512
)
-
(
CHACHA20-POLY1305
)
;
;
->>HEADER
<<-
opcode
: QUERY; status: NOERROR; id:
37061
;
; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;
;
EDNS PSEUDOSECTION:
;
;
Version: 0
;
flags:
;
UDP size: 1452 B
;
ext-rcode: NOERROR
;
;
PADDING: 57 B
;
;
Version: 0
;
flags:
;
UDP size: 4096 B
;
ext-rcode: NOERROR
;
;
QUESTION SECTION:
;
;
whoami.v4.powerdns.org. IN A
;
;
ANSWER SECTION:
whoami.v4.powerdns.org. 60 IN A
14
1.1
01.106.121
whoami.v4.powerdns.org. 60 IN A
5
1.1
58.160.192
;
;
Received
128
B
;
;
Time 2019-04-22 0
6
:3
2
:56 EEST
;
;
From 1.1
.1.1
@853
(
TCP
)
in
166.6
ms
;
;
Received
67
B
;
;
Time 2019-04-22 0
7
:3
1
:56 EEST
;
;
From
5
1.1
58.160.192
@853
(
TCP
)
in
67.5
ms
```
### Further reading
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment