aboutsummaryrefslogblamecommitdiffstats
path: root/terminaldweller.com/haproxy/haproxy.cfg
blob: 57f79f4b17344985fa5c1e9c5da67264a709ac67 (plain) (tree)
1
2
3
4
5
6
7
8
      
             

                                                                                                      
                                   
 
        
            





                        






                                

                         




                                
 
          
             
           
           



                                                           
                                                       
                                                             
                                                           
                                                             
                                                                     
                                                             
                                                               
                                                             
                                                       

                                                             
                                                    
                                                          
                                                                  

                                    
                     

            
                                                                 

                                                                                




                                                                                      
                                                                               
                                                                                    
                                                                                 
                                                                                  
                                                                                   
                                                                                  
                                                                                
                                                                                
                                                                                    

             
                                                            

                                                                  
                                                             
                                                               


                                                                 
                                                               
                                                            
                                                              
                                                              
                                                             
                                                                 
                                                            
                                                                 
                                                                                  

                                       
                                     
                                         
                                     

                                           
                                        
                              
 








                                                         
                                                             
                                                         
                                                               
                                                       
                                                             
                                                           
                                                       
                                                           
                                                             
                                                                     
                                                               
                                                             
                                                             
                                                    
                                                         
                                                                 


                                            
                                                 
                                           
                                                                
                                                
                                                   
                                             
                                             
                                               
                                                       
                                         
                                               
                                               
                                           
                                           
                                                   
 



                               








                                                          

                    

                    




                                                           






                                                        

                                                             

                   






                                                           






                                                        

                                                             






















































                                                         
                                                     
                                                    
                                                     
 
         
                       
           

                                                                      
                    

                   
                                           



                                   


                      
                                         
                      
          




                                           
                                           

                    

                   
                                    
                      
          
                  





                                           
          
                 


                                           
                   

                                           
          
                 

                                           
          
                 

                                          
          
                  

                                           
          
                  
                                     

                   


                                          
                            
          
                  
                                    
                               

                   
                                  
                          
          
                  
                                          


                             
                                        
 
                            
          
                  

                                        
          
                  




                                        
          
                  
                                        
 

                          
                                          

                     
                                       
                       
                     
          
                  
                                                    
                                                    

                       
          
                  
                                         


                        
                  
                                         


                            
                  
                                             


                      




                                          



                   
                                     


                     




                                             







                                         




                                        



                                           
 



                                         




                                        
global
  maxconn 256
  log 127.0.0.1 local0
  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  ssl-default-bind-options no-sslv3

defaults
  log global
  timeout connect 5000ms
  timeout client 50000ms
  timeout server 50000ms
  mode tcp
  option tcplog
  option dontlognull
  retries 3
  timeout http-request 5000ms
  timeout http-keep-alive 2000ms
  timeout queue 5000ms
  timeout tunnel 60000ms
  timeout client-fin 1000ms
  timeout server-fin 1000ms

resolvers docker_resolver
  nameserver dns-0 127.0.0.11:53
  hold valid 10000ms
  resolve_retries 3
  timeout retry 1000ms
  timeout resolve 1000ms

#Frontends
frontend http
  bind *:80
  mode http
  #ACLs
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  acl blog-host hdr_sub(host) -i blog.terminaldweller.com
  acl mail-host hdr_sub(host) -i mail.terminaldweller.com
  acl api-host hdr_sub(host) -i api.terminaldweller.com
  acl jabber-host hdr_sub(host) -i jabber.terminaldweller.com
  acl searx-host hdr_sub(host) -i searx.terminaldweller.com
  acl editor-host hdr_sub(host) -i editor.terminaldweller.com
  acl editorsave-host hdr_sub(host) -i editorsave.terminaldweller.com
  acl devourer-host hdr_sub(host) -i mila.terminaldweller.com
  acl discord-host hdr_sub(host) -i discord.terminaldweller.com
  acl rssgen-host hdr_sub(host) -i rssgen.terminaldweller.com
  acl git-host hdr_sub(host) -i git.terminaldweller.com
  acl cargo-host hdr_sub(host) -i cargo.terminaldweller.com
  acl browsh-host hdr_sub(host) -i browsh.terminaldweller.com
  acl main-host hdr_sub(host) -i terminaldweller.com
  acl doh2-host hdr_sub(shost) -i doh2.terminaldweller.com
  acl pastebin-host hdr_sub(shost) -i pastebin.terminaldweller.com
  acl mila-api-acl url_beg /mila
  acl crypto-api-acl url_beg /crypto
  acl http ssl_fc,not

  #Redirects
  #this will prevent any letsencrypt cert challenges from working
  #http-request redirect scheme https if http
  http-request redirect scheme https code 301 if http blog-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http editor-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http editorsave-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http api-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http devourer-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http searx-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http git-host !letsencrypt-acl
  # http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http cargo-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http browsh-host !letsencrypt-acl
  #http-request redirect scheme https code 301 if http jabber-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http main-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http doh2-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http pastebin-host !letsencrypt-acl

  #Conditions
  use_backend blog-backend-cert if letsencrypt-acl blog-host
  use_backend blog-backend-cert if letsencrypt-acl editor-host
  use_backend blog-backend-cert if letsencrypt-acl editorsave-host
  use_backend cloud-one-cert if letsencrypt-acl devourer-host
  use_backend searx-backend-cert if letsencrypt-acl jabber-host
  use_backend api-crypto-backend-cert if letsencrypt-acl api-host
  use_backend api-mila-backend-cert if letsencrypt-acl api-host
  use_backend searx-backend-cert if letsencrypt-acl searx-host
  use_backend searx-backend-cert if letsencrypt-acl rssgen-host
  use_backend searx-backend-cert if letsencrypt-acl git-host
  use_backend searx-backend-cert if letsencrypt-acl cargo-host
  use_backend vpn6-cert-backend if letsencrypt-acl browsh-host
  use_backend searx-backend-cert if letsencrypt-acl main-host
  use_backend searx-backend-cert if letsencrypt-acl pastebin-host
  use_backend doh2-backend-cert if letsencrypt-acl doh2-host
#  use_backend editor-backend-cert if letsencrypt-acl editor-host
  use_backend certbot-backend if letsencrypt-acl !jabber-host !blog-host !api-host
  use_backend blog-backend if blog-host
  use_backend mail-backend if mail-host
  use_backend api-backend if api-host
  use_backend searx-backend if searx-host
  use_backend git-backend if git-host
  use_backend rssgen-backend if rssgen-host
  use_backend browsh-backend if browsh-host
  #use_backend chat-backend if chat-host
  default_backend blog-backend

frontend https
  bind *:443
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  #ACLs
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
  acl blog-host-s req.ssl_sni -i blog.terminaldweller.com
  acl jericho-host-s req.ssl_sni -i jericho.terminaldweller.com
  acl api-host-s req.ssl_sni -i api.terminaldweller.com
  acl mila-api-host-s req.ssl_sni -i mila.terminaldweller.com
  acl searx-host-s req.ssl_sni -i searx.terminaldweller.com
  acl git-host-s req.ssl_sni -i git.terminaldweller.com
  acl cargo-host-s req.ssl_sni -i cargo.terminaldweller.com
  acl editor-host-s req.ssl_sni -i editor.terminaldweller.com
  acl editorsave-host-s req.ssl_sni -i editorsave.terminaldweller.com
  acl discord-host-s req.ssl_sni -i discord.terminaldweller.com
  acl rssgen-host-s req.ssl_sni -i rssgen.terminaldweller.com
  acl browsh-host-s req.ssl_sni -i browsh.terminaldweller.com
  acl main-host-s req.ssl_sni -i terminaldweller.com
  acl doh2-host-s req.ssl_sni -i doh2.terminaldweller.com
  acl pastebin-host-s req.ssl_sni -i pastebin.terminaldweller.com
  #Conditions
  use_backend mail-backend-s if mail-host-s
  #use_backend chat-backend-s if chat-host-s
  use_backend jericho-backend-s if jericho-host-s
  use_backend blog-backend-s if blog-host-s
  #use_backend api-crypto-backend-s if api-host-s crypto-api-acl
  use_backend api-crypto-backend-s if api-host-s
  use_backend api-mila-backend-s if mila-api-host-s
  use_backend searx-backend-s if searx-host-s
  use_backend cargo-backend-s if cargo-host-s
  use_backend editor-backend-s if editor-host-s
  use_backend editorsave-backend-s if editorsave-host-s
  use_backend git-backend-s if git-host-s
  use_backend rssgen-backend-s if rssgen-host-s
  use_backend browsh-backend-s if browsh-host-s
  use_backend main-backend-s if main-host-s
  use_backend doh2-backend-s if doh2-host-s
  use_backend pastebin-backend-s if pastebin-host-s

#frontend jabber5222
#  bind *:5222
#  mode tcp
#  use_backend chat-backend-c2s
#frontend jabber5222
#  bind *:5222
#  timeout client 60s
#  mode tcp
#  tcp-request inspect-delay 5s
#  tcp-request content accept if { req.ssl_hello_type 1 }
#  tcp-request content reject
#  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
#  use_backend chat-backend-c2s if chat-host-s
frontend jabbber5222
  bind *:5222
  timeout client 60s
  mode tcp
  #tcp-request inspect-delay 5s
  #tcp-request content accept if { req.ssl_hello_type 1 }
  #tcp-request content reject
  acl jabber-host req.ssl_sni -i jabber.terminaldweller.com
  use_backend jabber-backend-c2s if jabber-host
frontend jabber5223
  bind *:5223
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
  use_backend jabber-auth-backend-s if jabber-host-s
frontend jabber5280
  bind *:5280
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl jabber-host req.ssl_sni -i jabber.terminaldweller.com
  use_backend jabber-backend-admin if jabber-host
frontend jabber5443
  bind *:5443
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
  use_backend jabber-backend-s if jabber-host-s

frontend mail-imap
  bind *:143
  mode http
  acl mail-host hdr_sub(host) -i mail.terminaldweller.com
  use_backend mail-backend-imap if mail-host
frontend mail-imaps
  bind *:993
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-imaps if mail-host-s
frontend mail-pop3
  bind *:110
  mode http
  acl mail-host hdr_sub(host) -i mail.terminalweller.com
  use_backend mail-backend-pop3 if mail-host
frontend mail-pop3s
  bind *:995
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-pop3s if mail-host-s
frontend mail-smtp
  bind *:25
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-smtp if mail-host
frontend mail-smtps
  bind *:465
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-smtps if mail-host-s
frontend mail-submission
  bind *:587
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  acl mail-host-ss req.ssl_sni -i terminaldweller.com
  use_backend mail-backend-submission if mail-host-s
  use_backend mail-backend-submission if mail-host-ss

#Backends
backend certbot-backend
  mode http
  server nginx nginx:80 resolvers docker_resolver check init-addr none

backend blog-backend
  mode http
  option forwardfor
  server blog-host 192.99.102.52:9001 check
backend blog-backend-cert
  mode http
  option forwardfor
  server blog-host 192.99.102.52:80
backend cloud-one-cert
  mode http
  option forwardfor
  server cloud-one-host 185.130.47.208:80
backend blog-backend-s
  mode tcp
  option tcp-check
  server blog-host 192.99.102.52:9000 check
backend jericho-backend-s
  mode tcp
  option tcp-check
  server blog-host 192.99.102.52:9000 check

backend mail-backend
  mode http
  option forwardfor
  server mail-host 185.126.202.69:80
backend mail-backend-s
  mode tcp
  option tcp-check
  server mail-host 185.126.202.69:443 check
backend mail-backend-imap
  mode http
  option forwardfor
  server mail-host 185.126.202.69:143 check
backend mail-backend-imaps
  mode tcp
#option tcp-check
  server mail-host 185.126.202.69:993 check
backend mail-backend-pop3
  mode http
  option forwardfor
  server mail-host 185.126.202.69:110 check
backend mail-backend-pop3s
  mode tcp
#option tcp-check
  server mail-host 185.126.202.69:995 check
backend mail-backend-smtp
  mode tcp
#option tcp-check
  server mail-host 185.126.202.69:25 check
backend mail-backend-smtps
  mode tcp
  option tcp-check
  server mail-host 185.126.202.69:465 check
backend mail-backend-submission
  mode tcp
  option tcp-check
  server mail-host 185.126.202.69:587

backend api-backend
  mode http
  option forwardfor
  server api-host 192.99.102.52:8008 check
backend api-crypto-backend-s
  mode tcp
  option tcp-check
  server api-host 192.99.102.52:8008
backend api-crypto-backend-cert
  mode http
  option forwardfor
  server api-host 192.99.102.52:80
backend api-mila-backend-s
  mode tcp
  option tcp-check
  server api-mila-host 185.130.47.208:9009
backend api-mila-backend-cert
  mode http
  option forwardfor
  server api-mila-host 185.130.47.208:80

backend jabber-backend-admin
  mode tcp
  option tcp-check
  server jabber-host 185.130.47.208:5280
backend jabber-backend-s
  mode tcp
  option tcp-check
  server jabber-host 185.130.47.208:5443
backend jabber-backend-c2s
  mode tcp
  server jabber-host 185.130.47.208:5222
backend jabber-auth-backend-s
  mode tcp
  option tcp-check
  server jabber-host 185.130.47.208:5223

backend searx-backend-cert
  mode http
  server searx-host-cert 185.130.47.208:80
backend searx-backend
  mode http
  server searx-host 185.130.47.208:8080
backend searx-backend-s
  #balance roundrobin
  mode tcp
  option tcp-check
  server searx-host-s 185.130.47.208:8081 maxconn 10
  #server searx-host-s 192.99.102.52:8081 maxconn 10

backend cargo-backend-s
  mode tcp
  option tcp-check
  server cargo-host-s 185.130.47.208:7777

backend editor-backend-s
  mode tcp
  option tcp-check
  server editor-host-s 192.99.102.52:7080

backend editorsave-backend-s
  mode tcp
  option tcp-check
  server editorsave-host-s 192.99.102.52:9080

backend rssgen-backend
  mode http
  server rssgen-host-s 185.130.47.208:3000
backend rssgen-backend-s
  mode tcp
  option tcp-check
  server rssgen-host-s 185.130.47.208:3000

backend git-backend
  mode http
  option forwardfor
  server git-host 185.130.47.208:8042
backend git-backend-s
  mode tcp
  option tcp-check
  server git-host-s 185.130.47.208:8043 check

backend browsh-backend
  mode http
  server browsh-host 185.130.45.46:4333
backend browsh-backend-s
  mode tcp
  option tcp-check
  server browsh-host-s 185.130.45.46:4333

backend vpn6-cert-backend
  mode http
  server vpn6-cert-host 185.130.45.46:80

backend main-backend-s
  mode tcp
  option tcp-check
  server main-host-s 185.130.47.208:7773

backend doh2-backend-cert
  mode http
  server doh2-backend-host 185.130.47.81:80

backend doh2-backend-s
  mode tcp
  option tcp-check
  server doh2-backend-s 185.130.47.81:443

backend pastebin-backend-s
  mode tcp
  option tcp-check
  server main-host-s 185.130.47.208:3010