Haproxy configuration

914e4c45 · Elias Ojala · eb4f04a0 · 914e4c45
Verified Commit 914e4c45 authored Apr 22, 2019 by Elias Ojala
--- a/haproxy.md
+++ b/haproxy.md
@@ -5,7 +5,43 @@ permalink: /haproxy/

 ## Base configuration

-Coming soon
+
+```
+global
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+
+        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0g&hsts=yes&profile=modern
+        # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
+        # set default parameters to the intermediate configuration
+        tune.ssl.default-dh-param 2048
+        ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+        ssl-default-bind-options no-sslv3 no-tls-tickets
+        ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+        ssl-default-server-options no-sslv3 no-tls-tickets
+
+defaults
+        log     global
+        mode    http
+        option  httplog
+        option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+```

 ## Let's Encrypt

@@ -93,33 +129,32 @@ It should return your DNS resolver's outgoing IP address as result.
 Example result:

 ```console
-$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  whoami.v4.powerdns.org
-;; DEBUG: Querying for owner(whoami.v4.powerdns.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
+$ kdig -d @resolver1.lelux.fi +tls-ca +tls-host=resolver1.lelux.fi  whoami.v4.powerdns.org
+;; DEBUG: Querying for owner(whoami.v4.powerdns.org.), class(1), type(1), server(resolver1.lelux.fi), port(853), protocol(TCP)
 ;; DEBUG: TLS, imported 128 system certificates
 ;; DEBUG: TLS, received certificate hierarchy:
-;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
-;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
-;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
-;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
+;; DEBUG:  #1, CN=resolver1.lelux.fi
+;; DEBUG:      SHA-256 PIN: 2aPeuRroX59Lr5V6Zdd/rM9aok+aB3vL93HgApKT0Kc=
+;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
+;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
 ;; DEBUG: TLS, skipping certificate PIN check
 ;; DEBUG: TLS, The certificate is trusted. 
-;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
-;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 64512
+;; TLS session (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(CHACHA20-POLY1305)
+;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 37061
 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

 ;; EDNS PSEUDOSECTION:
-;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
-;; PADDING: 57 B
+;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR

 ;; QUESTION SECTION:
 ;; whoami.v4.powerdns.org.		IN	A

 ;; ANSWER SECTION:
-whoami.v4.powerdns.org.	60	IN	A	141.101.106.121
+whoami.v4.powerdns.org.	60	IN	A	51.158.160.192

-;; Received 128 B
-;; Time 2019-04-22 06:32:56 EEST
-;; From 1.1.1.1@853(TCP) in 166.6 ms
+;; Received 67 B
+;; Time 2019-04-22 07:31:56 EEST
+;; From 51.158.160.192@853(TCP) in 67.5 ms
 ```

 ### Further reading