Verified Commit f42628d7 authored by Elias Ojala's avatar Elias Ojala
Browse files

Haproxy: Nginx

parent f5adc323
......@@ -96,9 +96,16 @@ To generate certificates, see [this guide](certbot.md#http-used-by-haproxy-examp
* [gitlab.com](https://gitlab.com/theel0ja/useragent-blocklist)
* [github.com](https://github.com/theel0ja/useragent-blocklist)
### Haproxy configuration
```bash
sudo mkdir -p /etc/haproxy/useragent-blocklist/
sudo chown -R $USER:$USER /etc/haproxy/useragent-blocklist/
git clone https://git.lelux.fi/theel0ja/useragent-blocklist /etc/haproxy/useragent-blocklist/
```
### Haproxy configuration for HTTPS
```haproxy
# HTTPS (port 443)
frontend https-in
bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
reqadd X-Forwarded-Proto:\ https
......@@ -138,6 +145,55 @@ curl https://YOUR_SERVER/robots.txt --header "User-Agent: YisouSpider" -I
0 */3 * * * cd /etc/haproxy/useragent-blocklist && git pull
```
## Nginx backends
nginx `1.10.3-1+deb9u2` from [stretch](https://packages.debian.org/stretch/nginx) doesn't seem to work. Please use `1.14.1-1~bpo9+1` from [stretch-backports](https://packages.debian.org/stretch-backports/nginx).
### haproxy.cfg
```
frontend https-in
...
use_backend web1 if { hdr(host) -i www.example.com }
# Backends
...
backend web1
server web1 SERVER_IP:80 send-proxy-v2
```
### `/etc/nginx/sites-available/www.example.com`
```nginx
server {
listen 80 proxy_protocol;
# listen [::]:80 proxy_protocol;
server_name www.example.com;
root /var/www/www.example.com;
# Add index.php to the list if you are using PHP
index index.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
```
### `/etc/nginx/conf.d/real-ip.conf`
```nginx
set_real_ip_from HAPROXY_IP;
real_ip_header proxy_protocol;
```
## Check configuration
```bash
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment