49 lines
1.2 KiB
INI
49 lines
1.2 KiB
INI
global
|
|
#debug
|
|
chroot /var/lib/haproxy
|
|
user haproxy
|
|
group haproxy
|
|
pidfile /var/run/haproxy.pid
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
# Default ciphers to use on SSL-enabled listening sockets.
|
|
ssl-default-bind-options no-tls-tickets force-tlsv12 ssl-min-ver TLSv1.2
|
|
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
|
|
|
spread-checks 4
|
|
tune.maxrewrite 1024
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
defaults
|
|
mode http
|
|
balance roundrobin
|
|
|
|
option dontlognull
|
|
option dontlog-normal
|
|
option redispatch
|
|
|
|
maxconn 5000
|
|
timeout connect 5s
|
|
timeout client 20s
|
|
timeout server 20s
|
|
timeout queue 30s
|
|
timeout http-request 5s
|
|
timeout http-keep-alive 15s
|
|
|
|
frontend http-in
|
|
bind *:80
|
|
reqadd X-Forwarded-Proto:\ http
|
|
default_backend nodes-http
|
|
|
|
frontend https-in
|
|
bind *:443 ssl crt /etc/haproxy/ssl/priv-fullchain-bundle.pem
|
|
reqadd X-Forwarded-Proto:\ https
|
|
default_backend nodes-http
|
|
|
|
backend nodes-http
|
|
redirect scheme https if !{ ssl_fc }
|
|
server node1 some-simplesamlphp:80 check
|