aboutsummaryrefslogtreecommitdiffstats
path: root/terminaldweller.com/haproxy/haproxy.cfg
blob: feee75cbe387c5471697c78ee88b28d3d746bf08 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
global
  maxconn 256
  log 127.0.0.1 local0
  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  ssl-default-bind-options no-sslv3

defaults
  log global
  timeout connect 5000ms
  timeout client 50000ms
  timeout server 50000ms
  mode tcp
  option tcplog
  option dontlognull
  retries 3
  timeout http-request 5000ms
  timeout http-keep-alive 2000ms
  timeout queue 5000ms
  timeout tunnel 60000ms
  timeout client-fin 1000ms
  timeout server-fin 1000ms

resolvers docker_resolver
  nameserver dns-0 127.0.0.11:53
  hold valid 10000ms
  resolve_retries 3
  timeout retry 1000ms
  timeout resolve 1000ms

#Frontends
frontend http
  bind *:80
  mode http
  #ACLs
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  acl blog-host hdr_sub(host) -i blog.terminaldweller.com
  acl mail-host hdr_sub(host) -i mail.terminaldweller.com
  acl api-host hdr_sub(host) -i api.terminaldweller.com
  acl jabber-host hdr_sub(host) -i jabber.terminaldweller.com
  acl searx-host hdr_sub(host) -i searx.terminaldweller.com
  acl editor-host hdr_sub(host) -i editor.terminaldweller.com
  acl editorsave-host hdr_sub(host) -i editorsave.terminaldweller.com
  acl devourer-host hdr_sub(host) -i mila.terminaldweller.com
  acl discord-host hdr_sub(host) -i discord.terminaldweller.com
  acl rssgen-host hdr_sub(host) -i rssgen.terminaldweller.com
  acl git-host hdr_sub(host) -i git.terminaldweller.com
  acl cargo-host hdr_sub(host) -i cargo.terminaldweller.com
  acl browsh-host hdr_sub(host) -i browsh.terminaldweller.com
  acl main-host hdr_sub(host) -i terminaldweller.com
  acl doh2-host hdr_sub(shost) -i doh2.terminaldweller.com
  acl mila-api-acl url_beg /mila
  acl crypto-api-acl url_beg /crypto
  acl http ssl_fc,not

  #Redirects
  #this will prevent any letsencrypt cert challenges from working
  #http-request redirect scheme https if http
  http-request redirect scheme https code 301 if http blog-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http editor-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http editorsave-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http api-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http devourer-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http searx-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http git-host !letsencrypt-acl
  # http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http cargo-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http browsh-host !letsencrypt-acl
  #http-request redirect scheme https code 301 if http jabber-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http main-host !letsencrypt-acl
  http-request redirect scheme https code 301 if http doh2-host !letsencrypt-acl

  #Conditions
  use_backend blog-backend-cert if letsencrypt-acl blog-host
  use_backend blog-backend-cert if letsencrypt-acl editor-host
  use_backend blog-backend-cert if letsencrypt-acl editorsave-host
  use_backend cloud-one-cert if letsencrypt-acl devourer-host
  use_backend searx-backend-cert if letsencrypt-acl jabber-host
  use_backend api-crypto-backend-cert if letsencrypt-acl api-host
  use_backend api-mila-backend-cert if letsencrypt-acl api-host
  use_backend searx-backend-cert if letsencrypt-acl searx-host
  use_backend searx-backend-cert if letsencrypt-acl rssgen-host
  use_backend searx-backend-cert if letsencrypt-acl git-host
  use_backend searx-backend-cert if letsencrypt-acl cargo-host
  use_backend vpn6-cert-backend if letsencrypt-acl browsh-host
  use_backend searx-backend-cert if letsencrypt-acl main-host
  use_backend doh2-backend-cert if letsencrypt-acl doh2-host
#  use_backend editor-backend-cert if letsencrypt-acl editor-host
  use_backend certbot-backend if letsencrypt-acl !jabber-host !blog-host !api-host
  use_backend blog-backend if blog-host
  use_backend mail-backend if mail-host
  use_backend api-backend if api-host
  use_backend searx-backend if searx-host
  use_backend git-backend if git-host
  use_backend rssgen-backend if rssgen-host
  use_backend browsh-backend if browsh-host
  #use_backend chat-backend if chat-host
  default_backend blog-backend

frontend https
  bind *:443
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  #ACLs
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
  acl blog-host-s req.ssl_sni -i blog.terminaldweller.com
  acl jericho-host-s req.ssl_sni -i jericho.terminaldweller.com
  acl api-host-s req.ssl_sni -i api.terminaldweller.com
  acl mila-api-host-s req.ssl_sni -i mila.terminaldweller.com
  acl searx-host-s req.ssl_sni -i searx.terminaldweller.com
  acl git-host-s req.ssl_sni -i git.terminaldweller.com
  acl cargo-host-s req.ssl_sni -i cargo.terminaldweller.com
  acl editor-host-s req.ssl_sni -i editor.terminaldweller.com
  acl editorsave-host-s req.ssl_sni -i editorsave.terminaldweller.com
  acl discord-host-s req.ssl_sni -i discord.terminaldweller.com
  acl rssgen-host-s req.ssl_sni -i rssgen.terminaldweller.com
  acl browsh-host-s req.ssl_sni -i browsh.terminaldweller.com
  acl main-host-s req.ssl_sni -i terminaldweller.com
  acl doh2-host-s req.ssl_sni -i doh2.terminaldweller.com
  #Conditions
  use_backend mail-backend-s if mail-host-s
  #use_backend chat-backend-s if chat-host-s
  use_backend jericho-backend-s if jericho-host-s
  use_backend blog-backend-s if blog-host-s
  #use_backend api-crypto-backend-s if api-host-s crypto-api-acl
  use_backend api-crypto-backend-s if api-host-s
  use_backend api-mila-backend-s if mila-api-host-s
  use_backend searx-backend-s if searx-host-s
  use_backend cargo-backend-s if cargo-host-s
  use_backend editor-backend-s if editor-host-s
  use_backend editorsave-backend-s if editorsave-host-s
  use_backend git-backend-s if git-host-s
  use_backend rssgen-backend-s if rssgen-host-s
  use_backend browsh-backend-s if browsh-host-s
  use_backend main-backend-s if main-host-s
  use_backend doh2-backend-s if doh2-host-s

#frontend jabber5222
#  bind *:5222
#  mode tcp
#  use_backend chat-backend-c2s
#frontend jabber5222
#  bind *:5222
#  timeout client 60s
#  mode tcp
#  tcp-request inspect-delay 5s
#  tcp-request content accept if { req.ssl_hello_type 1 }
#  tcp-request content reject
#  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
#  use_backend chat-backend-c2s if chat-host-s
frontend jabbber5222
  bind *:5222
  timeout client 60s
  mode tcp
  #tcp-request inspect-delay 5s
  #tcp-request content accept if { req.ssl_hello_type 1 }
  #tcp-request content reject
  acl jabber-host req.ssl_sni -i jabber.terminaldweller.com
  use_backend jabber-backend-c2s if jabber-host
frontend jabber5223
  bind *:5223
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
  use_backend jabber-auth-backend-s if jabber-host-s
frontend jabber5280
  bind *:5280
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl jabber-host req.ssl_sni -i jabber.terminaldweller.com
  use_backend jabber-backend-admin if jabber-host
frontend jabber5443
  bind *:5443
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl jabber-host-s req.ssl_sni -i jabber.terminaldweller.com
  use_backend jabber-backend-s if jabber-host-s

frontend mail-imap
  bind *:143
  mode http
  acl mail-host hdr_sub(host) -i mail.terminaldweller.com
  use_backend mail-backend-imap if mail-host
frontend mail-imaps
  bind *:993
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-imaps if mail-host-s
frontend mail-pop3
  bind *:110
  mode http
  acl mail-host hdr_sub(host) -i mail.terminalweller.com
  use_backend mail-backend-pop3 if mail-host
frontend mail-pop3s
  bind *:995
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-pop3s if mail-host-s
frontend mail-smtp
  bind *:25
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-smtp if mail-host
frontend mail-smtps
  bind *:465
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  use_backend mail-backend-smtps if mail-host-s
frontend mail-submission
  bind *:587
  timeout client 60s
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  tcp-request content reject
  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
  acl mail-host-ss req.ssl_sni -i terminaldweller.com
  use_backend mail-backend-submission if mail-host-s
  use_backend mail-backend-submission if mail-host-ss

#Backends
backend certbot-backend
  mode http
  server nginx nginx:80 resolvers docker_resolver check init-addr none

backend blog-backend
  mode http
  option forwardfor
  server blog-host 192.99.102.52:9001 check
backend blog-backend-cert
  mode http
  option forwardfor
  server blog-host 192.99.102.52:80
backend cloud-one-cert
  mode http
  option forwardfor
  server cloud-one-host 185.130.47.208:80
backend blog-backend-s
  mode tcp
  option tcp-check
  server blog-host 192.99.102.52:9000 check
backend jericho-backend-s
  mode tcp
  option tcp-check
  server blog-host 192.99.102.52:9000 check

backend mail-backend
  mode http
  option forwardfor
  server mail-host 185.126.202.69:80
backend mail-backend-s
  mode tcp
  option tcp-check
  server mail-host 185.126.202.69:443 check
backend mail-backend-imap
  mode http
  option forwardfor
  server mail-host 185.126.202.69:143 check
backend mail-backend-imaps
  mode tcp
#option tcp-check
  server mail-host 185.126.202.69:993 check
backend mail-backend-pop3
  mode http
  option forwardfor
  server mail-host 185.126.202.69:110 check
backend mail-backend-pop3s
  mode tcp
#option tcp-check
  server mail-host 185.126.202.69:995 check
backend mail-backend-smtp
  mode tcp
#option tcp-check
  server mail-host 185.126.202.69:25 check
backend mail-backend-smtps
  mode tcp
  option tcp-check
  server mail-host 185.126.202.69:465 check
backend mail-backend-submission
  mode tcp
  option tcp-check
  server mail-host 185.126.202.69:587

backend api-backend
  mode http
  option forwardfor
  server api-host 192.99.102.52:8008 check
backend api-crypto-backend-s
  mode tcp
  option tcp-check
  server api-host 192.99.102.52:8008
backend api-crypto-backend-cert
  mode http
  option forwardfor
  server api-host 192.99.102.52:80
backend api-mila-backend-s
  mode tcp
  option tcp-check
  server api-mila-host 185.130.47.208:9009
backend api-mila-backend-cert
  mode http
  option forwardfor
  server api-mila-host 185.130.47.208:80

backend jabber-backend-admin
  mode tcp
  option tcp-check
  server jabber-host 185.130.47.208:5280
backend jabber-backend-s
  mode tcp
  option tcp-check
  server jabber-host 185.130.47.208:5443
backend jabber-backend-c2s
  mode tcp
  server jabber-host 185.130.47.208:5222
backend jabber-auth-backend-s
  mode tcp
  option tcp-check
  server jabber-host 185.130.47.208:5223

backend searx-backend-cert
  mode http
  server searx-host-cert 185.130.47.208:80
backend searx-backend
  mode http
  server searx-host 185.130.47.208:8080
backend searx-backend-s
  #balance roundrobin
  mode tcp
  option tcp-check
  server searx-host-s 185.130.47.208:8081 maxconn 10
  #server searx-host-s 192.99.102.52:8081 maxconn 10

backend cargo-backend-s
  mode tcp
  option tcp-check
  server cargo-host-s 185.130.47.208:7777

backend editor-backend-s
  mode tcp
  option tcp-check
  server editor-host-s 192.99.102.52:7080

backend editorsave-backend-s
  mode tcp
  option tcp-check
  server editorsave-host-s 192.99.102.52:9080

backend rssgen-backend
  mode http
  server rssgen-host-s 185.130.47.208:3000
backend rssgen-backend-s
  mode tcp
  option tcp-check
  server rssgen-host-s 185.130.47.208:3000

backend git-backend
  mode http
  option forwardfor
  server git-host 185.130.47.208:8042
backend git-backend-s
  mode tcp
  option tcp-check
  server git-host-s 185.130.47.208:8043 check

backend browsh-backend
  mode http
  server browsh-host 185.130.45.46:4333
backend browsh-backend-s
  mode tcp
  option tcp-check
  server browsh-host-s 185.130.45.46:4333

backend vpn6-cert-backend
  mode http
  server vpn6-cert-host 185.130.45.46:80

backend main-backend-s
  mode tcp
  option tcp-check
  server main-host-s 185.130.47.208:7773

backend doh2-backend-cert
  mode http
  server doh2-backend-host 185.130.47.81:80
backend doh2-backend-s
  mode tcp
  option tcp-check
  server doh2-backend-s 185.130.47.81:443