blob: feee75cbe387c5471697c78ee88b28d3d746bf08 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
|
global
maxconn 256
log 127.0.0.1 local0
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
defaults
log global
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
mode tcp
option tcplog
option dontlognull
retries 3
timeout http-request 5000ms
timeout http-keep-alive 2000ms
timeout queue 5000ms
timeout tunnel 60000ms
timeout client-fin 1000ms
timeout server-fin 1000ms
resolvers docker_resolver
nameserver dns-0 127.0.0.11:53
hold valid 10000ms
resolve_retries 3
timeout retry 1000ms
timeout resolve 1000ms
#Frontends
frontend http
bind *:80
mode http
#ACLs
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
acl blog-host hdr_sub(host) -i blog.terminaldweller.com
acl mail-host hdr_sub(host) -i mail.terminaldweller.com
acl api-host hdr_sub(host) -i api.terminaldweller.com
acl jabber-host hdr_sub(host) -i jabber.terminaldweller.com
acl searx-host hdr_sub(host) -i searx.terminaldweller.com
acl editor-host hdr_sub(host) -i editor.terminaldweller.com
acl editorsave-host hdr_sub(host) -i editorsave.terminaldweller.com
acl devourer-host hdr_sub(host) -i mila.terminaldweller.com
acl discord-host hdr_sub(host) -i discord.terminaldweller.com
acl rssgen-host hdr_sub(host) -i rssgen.terminaldweller.com
acl git-host hdr_sub(host) -i git.terminaldweller.com
acl cargo-host hdr_sub(host) -i cargo.terminaldweller.com
acl browsh-host hdr_sub(host) -i browsh.terminaldweller.com
acl main-host hdr_sub(host) -i terminaldweller.com
acl doh2-host hdr_sub(shost) -i doh2.terminaldweller.com
acl mila-api-acl url_beg /mila
acl crypto-api-acl url_beg /crypto
acl http ssl_fc,not
#Redirects
#this will prevent any letsencrypt cert challenges from working
#http-request redirect scheme https if http
http-request redirect scheme https code 301 if http blog-host !letsencrypt-acl
http-request redirect scheme https code 301 if http editor-host !letsencrypt-acl
http-request redirect scheme https code 301 if http editorsave-host !letsencrypt-acl
http-request redirect scheme https code 301 if http api-host !letsencrypt-acl
http-request redirect scheme https code 301 if http devourer-host !letsencrypt-acl
http-request redirect scheme https code 301 if http searx-host !letsencrypt-acl
http-request redirect scheme https code 301 if http git-host !letsencrypt-acl
# http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
http-request redirect scheme https code 301 if http cargo-host !letsencrypt-acl
http-request redirect scheme https code 301 if http browsh-host !letsencrypt-acl
#http-request redirect scheme https code 301 if http jabber-host !letsencrypt-acl
http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
http-request redirect scheme https code 301 if http main-host !letsencrypt-acl
http-request redirect scheme https code 301 if http doh2-host !letsencrypt-acl
#Conditions
use_backend blog-backend-cert if letsencrypt-acl blog-host
use_backend blog-backend-cert if letsencrypt-acl editor-host
use_backend blog-backend-cert if letsencrypt-acl editorsave-host
use_backend cloud-one-cert if letsencrypt-acl devourer-host
use_backend searx-backend-cert if letsencrypt-acl jabber-host
use_backend api-crypto-backend-cert if letsencrypt-acl api-host
use_backend api-mila-backend-cert if letsencrypt-acl api-host
use_backend searx-backend-cert if letsencrypt-acl searx-host
use_backend searx-backend-cert if letsencrypt-acl rssgen-host
use_backend searx-backend-cert if letsencrypt-acl git-host
use_backend searx-backend-cert if letsencrypt-acl cargo-host
use_backend vpn6-cert-backend if letsencrypt-acl browsh-host
use_backend searx-backend-cert if letsencrypt-acl main-host
use_backend doh2-backend-cert if letsencrypt-acl doh2-host
# use_backend editor-backend-cert if letsencrypt-acl editor-host
use_backend certbot-backend if letsencrypt-acl !jabber-host !blog-host !api-host
use_backend blog-backend if blog-host
use_backend mail-backend if mail-host
use_backend api-backend if api-host
use_backend searx-backend if searx-host
use_backend git-backend if git-host
use_backend rssgen-backend if rssgen-host
use_backend browsh-backend if browsh-host
#use_backend chat-backend if chat-host
default_backend blog-backend
frontend https
bind *:443
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
#ACLs
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
acl blog-host-s req.ssl_sni -i blog.terminaldweller.com
acl jericho-host-s req.ssl_sni -i jericho.terminaldweller.com
acl api-host-s req.ssl_sni -i api.terminaldweller.com
acl mila-api-host-s req.ssl_sni -i mila.terminaldweller.com
acl searx-host-s req.ssl_sni -i searx.terminaldweller.com
acl git-host-s req.ssl_sni -i git.terminaldweller.com
acl cargo-host-s req.ssl_sni -i cargo.terminaldweller.com
acl editor-host-s req.ssl_sni -i editor.terminaldweller.com
acl editorsave-host-s req.ssl_sni -i editorsave.terminaldweller.com
acl discord-host-s req.ssl_sni -i discord.terminaldweller.com
acl rssgen-host-s req.ssl_sni -i rssgen.terminaldweller.com
acl browsh-host-s req.ssl_sni -i browsh.terminaldweller.com
acl main-host-s req.ssl_sni -i terminaldweller.com
acl doh2-host-s req.ssl_sni -i doh2.terminaldweller.com
#Conditions
use_backend mail-backend-s if mail-host-s
#use_backend chat-backend-s if chat-host-s
use_backend jericho-backend-s if jericho-host-s
use_backend blog-backend-s if blog-host-s
#use_backend api-crypto-backend-s if api-host-s crypto-api-acl
use_backend api-crypto-backend-s if api-host-s
use_backend api-mila-backend-s if mila-api-host-s
use_backend searx-backend-s if searx-host-s
use_backend cargo-backend-s if cargo-host-s
use_backend editor-backend-s if editor-host-s
use_backend editorsave-backend-s if editorsave-host-s
use_backend git-backend-s if git-host-s
use_backend rssgen-backend-s if rssgen-host-s
use_backend browsh-backend-s if browsh-host-s
use_backend main-backend-s if main-host-s
use_backend doh2-backend-s if doh2-host-s
#frontend jabber5222
# bind *:5222
# mode tcp
# use_backend chat-backend-c2s
#frontend jabber5222
# bind *:5222
# timeout client 60s
# mode tcp
# tcp-request inspect-delay 5s
# tcp-request content accept if { req.ssl_hello_type 1 }
# tcp-request content reject
# acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
# use_backend chat-backend-c2s if chat-host-s
frontend jabbber5222
bind *:5222
timeout client 60s
mode tcp
#tcp-request inspect-delay 5s
#tcp-request content accept if { req.ssl_hello_type 1 }
#tcp-request content reject
acl jabber-host req.ssl_sni -i jabber.terminaldweller.com
use_backend jabber-backend-c2s if jabber-host
frontend jabber5223
bind *:5223
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
use_backend jabber-auth-backend-s if jabber-host-s
frontend jabber5280
bind *:5280
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl jabber-host req.ssl_sni -i jabber.terminaldweller.com
use_backend jabber-backend-admin if jabber-host
frontend jabber5443
bind *:5443
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
use_backend jabber-backend-s if jabber-host-s
frontend mail-imap
bind *:143
mode http
acl mail-host hdr_sub(host) -i mail.terminaldweller.com
use_backend mail-backend-imap if mail-host
frontend mail-imaps
bind *:993
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
use_backend mail-backend-imaps if mail-host-s
frontend mail-pop3
bind *:110
mode http
acl mail-host hdr_sub(host) -i mail.terminalweller.com
use_backend mail-backend-pop3 if mail-host
frontend mail-pop3s
bind *:995
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
use_backend mail-backend-pop3s if mail-host-s
frontend mail-smtp
bind *:25
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host req.ssl_sni -i mail.terminaldweller.com
use_backend mail-backend-smtp if mail-host
frontend mail-smtps
bind *:465
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
use_backend mail-backend-smtps if mail-host-s
frontend mail-submission
bind *:587
timeout client 60s
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
tcp-request content reject
acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
acl mail-host-ss req.ssl_sni -i terminaldweller.com
use_backend mail-backend-submission if mail-host-s
use_backend mail-backend-submission if mail-host-ss
#Backends
backend certbot-backend
mode http
server nginx nginx:80 resolvers docker_resolver check init-addr none
backend blog-backend
mode http
option forwardfor
server blog-host 192.99.102.52:9001 check
backend blog-backend-cert
mode http
option forwardfor
server blog-host 192.99.102.52:80
backend cloud-one-cert
mode http
option forwardfor
server cloud-one-host 185.130.47.208:80
backend blog-backend-s
mode tcp
option tcp-check
server blog-host 192.99.102.52:9000 check
backend jericho-backend-s
mode tcp
option tcp-check
server blog-host 192.99.102.52:9000 check
backend mail-backend
mode http
option forwardfor
server mail-host 185.126.202.69:80
backend mail-backend-s
mode tcp
option tcp-check
server mail-host 185.126.202.69:443 check
backend mail-backend-imap
mode http
option forwardfor
server mail-host 185.126.202.69:143 check
backend mail-backend-imaps
mode tcp
#option tcp-check
server mail-host 185.126.202.69:993 check
backend mail-backend-pop3
mode http
option forwardfor
server mail-host 185.126.202.69:110 check
backend mail-backend-pop3s
mode tcp
#option tcp-check
server mail-host 185.126.202.69:995 check
backend mail-backend-smtp
mode tcp
#option tcp-check
server mail-host 185.126.202.69:25 check
backend mail-backend-smtps
mode tcp
option tcp-check
server mail-host 185.126.202.69:465 check
backend mail-backend-submission
mode tcp
option tcp-check
server mail-host 185.126.202.69:587
backend api-backend
mode http
option forwardfor
server api-host 192.99.102.52:8008 check
backend api-crypto-backend-s
mode tcp
option tcp-check
server api-host 192.99.102.52:8008
backend api-crypto-backend-cert
mode http
option forwardfor
server api-host 192.99.102.52:80
backend api-mila-backend-s
mode tcp
option tcp-check
server api-mila-host 185.130.47.208:9009
backend api-mila-backend-cert
mode http
option forwardfor
server api-mila-host 185.130.47.208:80
backend jabber-backend-admin
mode tcp
option tcp-check
server jabber-host 185.130.47.208:5280
backend jabber-backend-s
mode tcp
option tcp-check
server jabber-host 185.130.47.208:5443
backend jabber-backend-c2s
mode tcp
server jabber-host 185.130.47.208:5222
backend jabber-auth-backend-s
mode tcp
option tcp-check
server jabber-host 185.130.47.208:5223
backend searx-backend-cert
mode http
server searx-host-cert 185.130.47.208:80
backend searx-backend
mode http
server searx-host 185.130.47.208:8080
backend searx-backend-s
#balance roundrobin
mode tcp
option tcp-check
server searx-host-s 185.130.47.208:8081 maxconn 10
#server searx-host-s 192.99.102.52:8081 maxconn 10
backend cargo-backend-s
mode tcp
option tcp-check
server cargo-host-s 185.130.47.208:7777
backend editor-backend-s
mode tcp
option tcp-check
server editor-host-s 192.99.102.52:7080
backend editorsave-backend-s
mode tcp
option tcp-check
server editorsave-host-s 192.99.102.52:9080
backend rssgen-backend
mode http
server rssgen-host-s 185.130.47.208:3000
backend rssgen-backend-s
mode tcp
option tcp-check
server rssgen-host-s 185.130.47.208:3000
backend git-backend
mode http
option forwardfor
server git-host 185.130.47.208:8042
backend git-backend-s
mode tcp
option tcp-check
server git-host-s 185.130.47.208:8043 check
backend browsh-backend
mode http
server browsh-host 185.130.45.46:4333
backend browsh-backend-s
mode tcp
option tcp-check
server browsh-host-s 185.130.45.46:4333
backend vpn6-cert-backend
mode http
server vpn6-cert-host 185.130.45.46:80
backend main-backend-s
mode tcp
option tcp-check
server main-host-s 185.130.47.208:7773
backend doh2-backend-cert
mode http
server doh2-backend-host 185.130.47.81:80
backend doh2-backend-s
mode tcp
option tcp-check
server doh2-backend-s 185.130.47.81:443
|