terminaldweller.com/haproxy/haproxy.cfg


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335

global
  maxconn 256
  log 127.0.0.1 local0
  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  ssl-default-bind-options no-sslv3

defaults
  log global
  timeout connect 5000ms
  timeout client 50000ms
  timeout server 50000ms
  mode tcp
  option tcplog
  option dontlognull
  retries 3
  timeout http-request 5000ms
  timeout http-keep-alive 2000ms
  timeout queue 5000ms
  timeout tunnel 60000ms
  timeout client-fin 1000ms
  timeout server-fin 1000ms

resolvers docker_resolver
  nameserver dns-0 127.0.0.11:53
  hold valid 10000ms
  resolve_retries 3
  timeout retry 1000ms
  timeout resolve 1000ms

#Frontends
frontend http
  bind *:80
  mode http
  #ACLs
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  acl blog-host hdr_sub(host) -i blog.terminaldweller.com
  acl mail-host hdr_sub(host) -i mail.terminaldweller.com
  acl api-host hdr_sub(host) -i api.terminaldweller.com
  acl chat-host hdr_sub(host) -i chat.terminaldweller.com
  acl searx-host hdr_sub(host) -i searx.terminaldweller.com
  acl editor-host hdr_sub(host) -i editor.terminaldweller.com
  acl editorsave-host hdr_sub(host) -i editorsave.terminaldweller.com
  acl devourer-host hdr_sub(host) -i mila.terminaldweller.com
  acl discord-host hdr_sub(host) -i discord.terminaldweller.com
  acl mila-api-acl url_beg /mila
  acl crypto-api-acl url_beg /crypto
  acl http ssl_fc,not

  #Redirects
  #this will prevent any letsencrypt cert challenges from working
  #http-request redirect scheme https if http
  http-request redirect scheme https code 301 if http blog-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http editor-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http editorsave-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http api-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http devourer-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http searx-host !letsencrypt-acl

  #Conditions
  #use_backend chat-cert-backend if letsencrypt-acl chat-host
  use_backend blog-backend-cert if letsencrypt-acl blog-host
  use_backend blog-backend-cert if letsencrypt-acl editor-host
  use_backend blog-backend-cert if letsencrypt-acl editorsave-host
  use_backend cloud-one-cert if letsencrypt-acl devourer-host
  use_backend cloud-one-cert if letsencrypt-acl chat-host
  use_backend api-crypto-backend-cert if letsencrypt-acl api-host
  use_backend api-mila-backend-cert if letsencrypt-acl api-host
  use_backend searx-backend-cert if letsencrypt-acl searx-host
#  use_backend editor-backend-cert if letsencrypt-acl editor-host
  use_backend certbot-backend if letsencrypt-acl !chat-host !blog-host !api-host
  use_backend blog-backend if blog-host
  use_backend mail-backend if mail-host
  use_backend api-backend if api-host
  use_backend searx-backend if searx-host
  #use_backend chat-backend if chat-host
  default_backend blog-backend

frontend https
  bind *:443
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  #ACLs
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
  acl blog-host-s req.ssl_sni -i blog.terminaldweller.com
  acl api-host-s req.ssl_sni -i api.terminaldweller.com
  acl mila-api-host-s req.ssl_sni -i mila.terminaldweller.com
  acl searx-host-s req.ssl_sni -i searx.terminaldweller.com
  acl cargo-host-s req.ssl_sni -i cargo.terminaldweller.com
  acl editor-host-s req.ssl_sni -i editor.terminaldweller.com
  acl editorsave-host-s req.ssl_sni -i editorsave.terminaldweller.com
  acl discord-host-s req.ssl_sni -i discord.terminaldweller.com
  #Conditions
  use_backend mail-backend-s if mail-host-s
  #use_backend chat-backend-s if chat-host-s
  use_backend blog-backend-s if blog-host-s
  #use_backend api-crypto-backend-s if api-host-s crypto-api-acl
  use_backend api-crypto-backend-s if api-host-s
  use_backend api-mila-backend-s if mila-api-host-s
  use_backend searx-backend-s if searx-host-s
  use_backend cargo-backend-s if cargo-host-s
  use_backend editor-backend-s if editor-host-s
  use_backend editorsave-backend-s if editorsave-host-s

#frontend jabber5222
#  bind *:5222
#  mode tcp
#  use_backend chat-backend-c2s
#frontend jabber5222
#  bind *:5222
#  timeout client 60s
#  mode tcp
#  tcp-request inspect-delay 5s
#  tcp-request content accept if { req.ssl_hello_type 1 }
#  tcp-request content reject
#  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
#  use_backend chat-backend-c2s if chat-host-s
frontend jabbber5222
  bind *:5222
  timeout client 60s
  mode tcp
  acl chat-host req.ssl_sni -i chat.terminaldweller.com
  use_backend chat-backend-c2s if chat-host
frontend jabber5223
  bind *:5223
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
  use_backend chat-auth-backend-s if chat-host-s
frontend jabber5280
  bind *:5280
  mode http
  acl chat-host hdr_sub(host) -i chat.terminaldweller.com
  use_backend chat-backend-admin if chat-host
frontend jabber5443
  bind *:5443
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
  use_backend chat-backend-s if chat-host-s

frontend mail-imap
  bind *:143
  mode http
  acl mail-host hdr_sub(host) -i mail.terminaldweller.com
  use_backend mail-backend-imap if mail-host
frontend mail-imaps
  bind *:993
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-imaps if mail-host-s
frontend mail-pop3
  bind *:110
  mode http
  acl mail-host hdr_sub(host) -i mail.terminalweller.com
  use_backend mail-backend-pop3 if mail-host
frontend mail-pop3s
  bind *:995
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-pop3s if mail-host-s
frontend mail-smtp
  bind *:25
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-smtp if mail-host
frontend mail-smtps
  bind *:465
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-smtps if mail-host-s
frontend mail-submission
  bind *:587
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  acl mail-host-ss req.ssl_sni -i terminaldweller.com
  use_backend mail-backend-submission if mail-host-s
  use_backend mail-backend-submission if mail-host-ss

#Backends
backend certbot-backend
  mode http
  server nginx nginx:80 resolvers docker_resolver check init-addr none

backend blog-backend
  mode http
  option forwardfor
  server blog-host 192.99.102.52:9000 check
backend blog-backend-cert
  mode http
  option forwardfor
  server blog-host 192.99.102.52:80
backend cloud-one-cert
  mode http
  option forwardfor
  server cloud-one-host 130.185.121.80:80
backend blog-backend-s
  mode tcp
  option ssl-hello-chk
  server blog-host 192.99.102.52:9000 check

backend mail-backend
  mode http
  option forwardfor
  server mail-host 185.126.202.69:80
backend mail-backend-s
  mode tcp
  option ssl-hello-chk
  server mail-host 185.126.202.69:443 check
backend mail-backend-imap
  mode http
  option forwardfor
  server mail-host 185.126.202.69:143 check
backend mail-backend-imaps
  mode tcp
#option ssl-hello-chk
  server mail-host 185.126.202.69:993 check
backend mail-backend-pop3
  mode http
  option forwardfor
  server mail-host 185.126.202.69:110 check
backend mail-backend-pop3s
  mode tcp
#option ssl-hello-chk
  server mail-host 185.126.202.69:995 check
backend mail-backend-smtp
  mode tcp
#option ssl-hello-chk
  server mail-host 185.126.202.69:25 check
backend mail-backend-smtps
  mode tcp
  option ssl-hello-chk
  server mail-host 185.126.202.69:465 check
backend mail-backend-submission
  mode tcp
  option ssl-hello-chk
  server mail-host 185.126.202.69:587

backend api-backend
  mode http
  option forwardfor
  server api-host 192.99.102.52:8008 check
backend api-crypto-backend-s
  mode tcp
  option ssl-hello-chk
  server api-host 192.99.102.52:8008
backend api-crypto-backend-cert
  mode http
  option forwardfor
  server api-host 192.99.102.52:80
backend api-mila-backend-s
  mode tcp
  option ssl-hello-chk
  server api-mila-host 130.185.121.80:19019
backend api-mila-backend-cert
  mode http
  option forwardfor
  server api-mila-host 130.185.121.80

backend chat-backend-admin
  mode http
  server chat-host 130.185.121.80:5280
#backend chat-backend
#  mode http
#  server chat-host 130.185.121.80:5222
backend chat-backend-s
  mode tcp
  option ssl-hello-chk
  server chat-host 130.185.121.80:5443
backend chat-backend-c2s
  mode tcp
  option ssl-hello-chk
  server chat-host 130.185.121.80:5222
backend chat-auth-backend-s
  mode tcp
  option ssl-hello-chk
  server chat-host 130.185.121.80:5223
#backend chat-cert-backend
#  mode http
#  server chat-cert-server 130.185.121.80:8880

backend searx-backend-cert
  mode http
  server searx-host-cert 130.185.121.80:80
backend searx-backend
  mode http
  server searx-host 130.185.121.80:8080
backend searx-backend-s
  mode tcp
  option ssl-hello-chk
  server searx-host-s 130.185.121.80:8081 maxconn 10

backend cargo-backend-s
  mode tcp
  option ssl-hello-chk
  server cargo-host-s 130.185.121.80:7777

backend editor-backend-s
  mode tcp
  option ssl-hello-chk
  server cargo-host-s 192.99.102.52:7080

backend editorsave-backend-s
  mode tcp
  option ssl-hello-chk
  server cargo-host-s 192.99.102.52:9080