blob: feee75cbe387c5471697c78ee88b28d3d746bf08 (
plain) (
tree)
|
|
global
maxconn 256
log 127.0.0.1 local0
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
defaults
log global
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
mode tcp
option tcplog
option dontlognull
retries 3
timeout http-request 5000ms
timeout http-keep-alive 2000ms
timeout queue 5000ms
timeout tunnel 60000ms
timeout client-fin 1000ms
timeout server-fin 1000ms
resolvers docker_resolver
nameserver dns-0 127.0.0.11:53
hold valid 10000ms
resolve_retries 3
timeout retry 1000ms
timeout resolve 1000ms
#Frontends
frontend http
bind *:80
mode http
#ACLs
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
acl blog-host hdr_sub(host) -i blog.terminaldweller.com
acl mail-host hdr_sub(host) -i mail.terminaldweller.com
acl api-host hdr_sub(host) -i api.terminaldweller.com
acl jabber-host hdr_sub(host) -i jabber.terminaldweller.com
acl searx-host hdr_sub(host) -i searx.terminaldweller.com
acl editor-host hdr_sub(host) -i editor.terminaldweller.com
acl editorsave-host hdr_sub(host) -i editorsave.terminaldweller.com
acl devourer-host hdr_sub(host) -i mila.terminaldweller.com
acl discord-host hdr_sub(host) -i discord.terminaldweller.com
acl rssgen-host hdr_sub(host) -i rssgen.terminaldweller.com
acl git-host hdr_sub(host) -i git.terminaldweller.com
acl cargo-host hdr_sub(host) -i cargo.terminaldweller.com
acl browsh-host hdr_sub(host) -i browsh.terminaldweller.com
acl main-host hdr_sub(host) -i terminaldweller.com
acl doh2-host hdr_sub(shost) -i doh2.terminaldweller.com
acl mila-api-acl url_beg /mila
acl crypto-api-acl url_beg /crypto
acl http ssl_fc,not
#Redirects
#this will prevent any letsencrypt cert challenges from working
#http-request redirect scheme https if http
http-request redirect scheme https code 301 if http blog-host !letsencrypt-acl
http-request redirect scheme https code 301 if http editor-host !letsencrypt-acl
http-request redirect scheme https code 301 if http editorsave-host !letsencrypt-acl
http-request redirect scheme https code 301 if http api-host !letsencrypt-acl
http-request redirect scheme https code 301 if http devourer-host !letsencrypt-acl
http-request redirect scheme https code 301 if http searx-host !letsencrypt-acl
http-request redirect scheme https code 301 if http git-host !letsencrypt-acl
# http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
http-request redirect scheme https code 301 if http cargo-host !letsencrypt-acl
http-request redirect scheme https code 301 if http browsh-host !letsencrypt-acl
#http-request redirect scheme https code 301 if http jabber-host !letsencrypt-acl
http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
http-request redirect scheme https code 301 if http main-host !letsencrypt-acl
http-request redirect scheme https code 301 if http doh2-host !letsencrypt-acl
#Conditions
use_backend blog-backend-cert if letsencrypt-acl blog-host
use_backend blog-backend-cert if letsencrypt-acl editor-host
use_backend blog-backend-cert if letsencrypt-acl editorsave-host
use_backend cloud-one-cert if letsencrypt-acl devourer-host
use_backend searx-backend-cert if letsencrypt-acl jabber-host
use_backend api-crypto-backend-cert if letsencrypt-acl api-host
use_backend api-mila-backend-cert if letsencrypt-acl api-host
use_backend searx-backend-cert if letsencrypt-acl searx-host
use_backend searx-backend-cert if letsencrypt-acl rssgen-host
use_backend searx-backend-cert if letsencrypt-acl git-host
use_backend searx-backend-cert if letsencrypt-acl cargo-host
use_backend vpn6-cert-backend if letsencrypt-acl browsh-host
use_backend searx-backend-cert if letsencrypt-acl main-host
use_backend doh2-backend-cert if letsencrypt-acl doh2-host
# use_backend editor-backend-cert if letsencrypt-acl editor-host
use_backend certbot-backend if letsencrypt-acl !jabber-host !blog-host !api-host
use_backend blog-backend if blog-host
use_backend mail-backend if mail-host
use_backend api-backend if api-host
use_backend searx-backend if searx-host
use_backend git-backend if git-host
use_backend rssgen-backend if rssgen-host
use_backend browsh-backend if browsh-host
#use_backend chat-backend if chat-host
default_backend blog-backend
frontend https
bind *:443
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
#ACLs
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
acl blog-host-s req.ssl_sni -i blog.terminaldweller.com
acl jericho-host-s req.ssl_sni -i jericho.terminaldweller.com
acl api-host-s req.ssl_sni -i api.terminaldweller.com
acl mila-api-host-s req.ssl_sni -i mila.terminaldweller.com
acl searx-host-s req.ssl_sni -i searx.terminaldweller.com
acl git-host-s req.ssl_sni -i git.terminaldweller.com
acl cargo-host-s req.ssl_sni -i cargo.terminaldweller.com
acl editor-host-s req.ssl_sni -i editor.terminaldweller.com
acl editorsave-host-s req.ssl_sni -i editorsave.terminaldweller.com
acl discord-host-s req.ssl_sni -i discord.terminaldweller.com
acl rssgen-host-s req.ssl_sni -i rssgen.terminaldweller.com
acl browsh-host-s req.ssl_sni -i browsh.terminaldweller.com
acl main-host-s req.ssl_sni -i terminaldweller.com
acl doh2-host-s req.ssl_sni -i doh2.terminaldweller.com
#Conditions
use_backend mail-backend-s if mail-host-s
#use_backend chat-backend-s if chat-host-s
use_backend jericho-backend-s if jericho-host-s
use_backend blog-backend-s if blog-host-s
#use_backend api-crypto-backend-s if api-host-s crypto-api-acl
use_backend api-crypto-backend-s if api-host-s
use_backend api-mila-backend-s if mila-api-host-s
use_backend searx-backend-s if searx-host-s
use_backend cargo-backend-s if cargo-host-s
use_backend editor-backend-s if editor-host-s
use_backend editorsave-backend-s if editorsave-host-s
use_backend git-backend-s if git-host-s
use_backend rssgen-backend-s if rssgen-host-s
use_backend browsh-backend-s if browsh-host-s
use_backend main-backend-s if main-host-s
use_backend doh2-backend-s if doh2-host-s
#frontend jabber5222
# bind *:5222
# mode tcp
# use_backend chat-backend-c2s
#frontend jabber5222
# bind *:5222
# timeout client 60s
# mode tcp
# tcp-request inspect-delay 5s
# tcp-request content accept if { req.ssl_hello_type 1 }
# tcp-request content reject
# acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
# use_backend chat-backend-c2s if chat-host-s
frontend jabbber5222
bind *:5222
timeout client 60s
mode tcp
#tcp-request inspect-delay 5s
#tcp-request content accept if { req.ssl_hello_type 1 }
#tcp-request content reject
acl jabber-host req.ssl_sni -i jabber.terminaldweller.com
use_backend jabber-backend-c2s if jabber-host
frontend jabber5223
bind *:5223
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
use_backend jabber-auth-backend-s if jabber-host-s
frontend jabber5280
bind *:5280
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl jabber-host req.ssl_sni -i jabber.terminaldweller.com
use_backend jabber-backend-admin if jabber-host
frontend jabber5443
bind *:5443
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
use_backend jabber-backend-s if jabber-host-s
frontend mail-imap
bind *:143
mode http
acl mail-host hdr_sub(host) -i mail.terminaldweller.com
use_backend mail-backend-imap if mail-host
frontend mail-imaps
bind *:993
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
use_backend mail-backend-imaps if mail-host-s
frontend mail-pop3
bind *:110
mode http
acl mail-host hdr_sub(host) -i mail.terminalweller.com
use_backend mail-backend-pop3 if mail-host
frontend mail-pop3s
bind *:995
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
use_backend mail-backend-pop3s if mail-host-s
frontend mail-smtp
bind *:25
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host req.ssl_sni -i mail.terminaldweller.com
use_backend mail-backend-smtp if mail-host
frontend mail-smtps
bind *:465
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
use_backend mail-backend-smtps if mail-host-s
frontend mail-submission
bind *:587
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
acl mail-host-ss req.ssl_sni -i terminaldweller.com
use_backend mail-backend-submission if mail-host-s
use_backend mail-backend-submission if mail-host-ss
#Backends
backend certbot-backend
mode http
server nginx nginx:80 resolvers docker_resolver check init-addr none
backend blog-backend
mode http
option forwardfor
server blog-host 192.99.102.52:9001 check
backend blog-backend-cert
mode http
option forwardfor
server blog-host 192.99.102.52:80
backend cloud-one-cert
mode http
option forwardfor
server cloud-one-host 185.130.47.208:80
backend blog-backend-s
mode tcp
option tcp-check
server blog-host 192.99.102.52:9000 check
backend jericho-backend-s
mode tcp
option tcp-check
server blog-host 192.99.102.52:9000 check
backend mail-backend
mode http
option forwardfor
server mail-host 185.126.202.69:80
backend mail-backend-s
mode tcp
option tcp-check
server mail-host 185.126.202.69:443 check
backend mail-backend-imap
mode http
option forwardfor
server mail-host 185.126.202.69:143 check
backend mail-backend-imaps
mode tcp
#option tcp-check
server mail-host 185.126.202.69:993 check
backend mail-backend-pop3
mode http
option forwardfor
server mail-host 185.126.202.69:110 check
backend mail-backend-pop3s
mode tcp
#option tcp-check
server mail-host 185.126.202.69:995 check
backend mail-backend-smtp
mode tcp
#option tcp-check
server mail-host 185.126.202.69:25 check
backend mail-backend-smtps
mode tcp
option tcp-check
server mail-host 185.126.202.69:465 check
backend mail-backend-submission
mode tcp
option tcp-check
server mail-host 185.126.202.69:587
backend api-backend
mode http
option forwardfor
server api-host 192.99.102.52:8008 check
backend api-crypto-backend-s
mode tcp
option tcp-check
server api-host 192.99.102.52:8008
backend api-crypto-backend-cert
mode http
option forwardfor
server api-host 192.99.102.52:80
backend api-mila-backend-s
mode tcp
option tcp-check
server api-mila-host 185.130.47.208:9009
backend api-mila-backend-cert
mode http
option forwardfor
server api-mila-host 185.130.47.208:80
backend jabber-backend-admin
mode tcp
option tcp-check
server jabber-host 185.130.47.208:5280
backend jabber-backend-s
mode tcp
option tcp-check
server jabber-host 185.130.47.208:5443
backend jabber-backend-c2s
mode tcp
server jabber-host 185.130.47.208:5222
backend jabber-auth-backend-s
mode tcp
option tcp-check
server jabber-host 185.130.47.208:5223
backend searx-backend-cert
mode http
server searx-host-cert 185.130.47.208:80
backend searx-backend
mode http
server searx-host 185.130.47.208:8080
backend searx-backend-s
#balance roundrobin
mode tcp
option tcp-check
server searx-host-s 185.130.47.208:8081 maxconn 10
#server searx-host-s 192.99.102.52:8081 maxconn 10
backend cargo-backend-s
mode tcp
option tcp-check
server cargo-host-s 185.130.47.208:7777
backend editor-backend-s
mode tcp
option tcp-check
server editor-host-s 192.99.102.52:7080
backend editorsave-backend-s
mode tcp
option tcp-check
server editorsave-host-s 192.99.102.52:9080
backend rssgen-backend
mode http
server rssgen-host-s 185.130.47.208:3000
backend rssgen-backend-s
mode tcp
option tcp-check
server rssgen-host-s 185.130.47.208:3000
backend git-backend
mode http
option forwardfor
server git-host 185.130.47.208:8042
backend git-backend-s
mode tcp
option tcp-check
server git-host-s 185.130.47.208:8043 check
backend browsh-backend
mode http
server browsh-host 185.130.45.46:4333
backend browsh-backend-s
mode tcp
option tcp-check
server browsh-host-s 185.130.45.46:4333
backend vpn6-cert-backend
mode http
server vpn6-cert-host 185.130.45.46:80
backend main-backend-s
mode tcp
option tcp-check
server main-host-s 185.130.47.208:7773
backend doh2-backend-cert
mode http
server doh2-backend-host 185.130.47.81:80
backend doh2-backend-s
mode tcp
option tcp-check
server doh2-backend-s 185.130.47.81:443
|