HAProxy/Frontend: Difference between revisions
Jump to navigation
Jump to search
| (16 intermediate revisions by the same user not shown) | |||
| Line 13: | Line 13: | ||
==HAProxy » Defaults== | ==HAProxy » Defaults== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cat <<'EXE'| sudo bash | |||
mkdir -p /etc/letsencrypt/live/ | |||
curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt|tee /etc/letsencrypt/live/ffdhe2048.pem >/dev/null | |||
EXE | |||
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/global.cfg >/dev/null | cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/global.cfg >/dev/null | ||
global | global | ||
| Line 31: | Line 36: | ||
crt-base /etc/ssl/private | crt-base /etc/ssl/private | ||
# see: https://ssl-config.mozilla.org/#server=haproxy& | # generated 2025-06-18, Mozilla Guideline v5.7, HAProxy 2.8.5, OpenSSL 3.0.13, intermediate config | ||
ssl-default-bind-ciphers | # see: https://ssl-config.mozilla.org/#server=haproxy&version=2.8.5&config=intermediate&openssl=3.0.13&guideline=5.7 | ||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 | ||
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets | ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | ||
ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2 no-tls-tickets | |||
ssl-default-bind-curves X25519:prime256v1:secp384r1 | |||
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 | |||
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | |||
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets | |||
# curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt|sudo tee /etc/letsencrypt/live/ffdhe2048.pem >/dev/null | |||
ssl-dh-param-file /etc/letsencrypt/live/ffdhe2048.pem | |||
CFG | CFG | ||
| Line 82: | Line 96: | ||
==HAProxy » Frontend » HTTPS== | ==HAProxy » Frontend » HTTPS== | ||
<syntaxhighlight lang="bash" highlight="3-4"> | |||
certbot certonly --standalone --non-interactive --http-01-port=19830 -d cid.chorke.org --email tool.tech@shahed.biz --agree-tos --dry-run | |||
certbot certonly --standalone --non-interactive --http-01-port=19830 -d cid.chorke.org --email tool.tech@shahed.biz --agree-tos | |||
(cd /etc/letsencrypt/live/cid.chorke.org/;ln -s privkey.pem fullchain.pem.key) | |||
certbot renew --http-01-port=19830 | |||
</syntaxhighlight> | |||
---- | |||
<syntaxhighlight lang="bash" highlight="3"> | |||
certbot certonly --standalone --non-interactive --http-01-port=19830 -d dev.chorke.org --dry-run | |||
certbot certonly --standalone --non-interactive --http-01-port=19830 -d dev.chorke.org | |||
(cd /etc/letsencrypt/live/dev.chorke.org/;ln -s privkey.pem fullchain.pem.key) | |||
</syntaxhighlight> | |||
---- | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null | cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null | ||
| Line 90: | Line 117: | ||
frontend fnt_shahed_biz_ssl | frontend fnt_shahed_biz_ssl | ||
bind *:443 ssl crt /etc/letsencrypt/live/ | bind *:443 ssl crt /etc/letsencrypt/live/cid.chorke.org/fullchain.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 | ||
bind *:443 ssl crt /etc/letsencrypt/live/dev.chorke.org/fullchain.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 | |||
mode http | mode http | ||
acl host-is-cid-shahed-biz hdr(host) -i cid.chorke.org | |||
acl host-is-cid-shahed-biz | acl host-is-dev-shahed-biz hdr(host) -i dev.chorke.org | ||
acl host-is-dev-shahed-biz | |||
acl path-is-artifactory path_beg /artifactory | acl path-is-artifactory path_beg /artifactory | ||
| Line 102: | Line 129: | ||
acl path-is-nexus path_beg /nexus | acl path-is-nexus path_beg /nexus | ||
http-request | http-request set-header X-Forwarded-For %[src] | ||
http-request set-header X-Forwarded-Proto https | |||
use_backend bck_shahed_biz_cid_artifactory if host-is-cid-shahed-biz path-is-artifactory | use_backend bck_shahed_biz_cid_artifactory if host-is-cid-shahed-biz path-is-artifactory | ||
use_backend bck_shahed_biz_cid_jenkins if host-is-cid-shahed-biz path-is-jenkins | use_backend bck_shahed_biz_cid_jenkins if host-is-cid-shahed-biz path-is-jenkins | ||
| Line 110: | Line 139: | ||
backend bck_shahed_biz_cid_artifactory | backend bck_shahed_biz_cid_artifactory | ||
server shahed_ah_artifactory 10.20.40.8:8084 | server shahed_ah_artifactory 10.20.40.8:8084 | ||
mode http | mode http | ||
backend bck_shahed_biz_cid_jenkins | backend bck_shahed_biz_cid_jenkins | ||
server shahed_ah_jenkins 10.20.40.8:8080 | server shahed_ah_jenkins 10.20.40.8:8080 | ||
mode http | mode http | ||
backend bck_shahed_biz_cid_gitlab | backend bck_shahed_biz_cid_gitlab | ||
server shahed_af_gitlab 10.20.40.6:80 | server shahed_af_gitlab 10.20.40.6:80 | ||
mode http | mode http | ||
backend bck_shahed_biz_cid_nexus | backend bck_shahed_biz_cid_nexus | ||
server shahed_ah_nexus 10.20.40.8:8081 | server shahed_ah_nexus 10.20.40.8:8081 | ||
mode http | mode http | ||
backend bck_shahed_biz_cid | backend bck_shahed_biz_cid | ||
server shahed_am_apache2 10.20.40.13:80 | server shahed_am_apache2 10.20.40.13:80 | ||
mode http | mode http | ||
CFG | CFG | ||
| Line 181: | Line 210: | ||
==HAProxy » Frontend » TCP » Mail== | ==HAProxy » Frontend » TCP » Mail== | ||
{|class='wikitable mw-collapsible' | |||
!scope='col' style='width:800px'| | |||
'''HAProxy » Frontend » TCP » Mail''' | |||
|- | |||
|valign='top'| | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null | cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null | ||
| Line 287: | Line 321: | ||
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg /etc/haproxy/proxy-enabled/ | sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg /etc/haproxy/proxy-enabled/ | ||
</syntaxhighlight> | </syntaxhighlight> | ||
|} | |||
==HAProxy » Frontend » Reconfigure== | ==HAProxy » Frontend » Reconfigure== | ||
| Line 317: | Line 352: | ||
| valign="top" | | | valign="top" | | ||
* [https://serversforhackers.com/c/letsencrypt-with-haproxy HAProxy » Frontend » <code>--http-01-port=19830</code>] | |||
* [https://www.linkedin.com/pulse/how-https-lets-encrypt-haproxy-jack-mtembete HAProxy » HTTPS with Let's Encrypt] | * [https://www.linkedin.com/pulse/how-https-lets-encrypt-haproxy-jack-mtembete HAProxy » HTTPS with Let's Encrypt] | ||
* [https://www.haproxy.com/blog/haproxy-configuration-basics-load-balance-your-servers/ HAProxy » Configuration Basics] | * [https://www.haproxy.com/blog/haproxy-configuration-basics-load-balance-your-servers/ HAProxy » Configuration Basics] | ||
Latest revision as of 02:04, 20 June 2025
HAProxy » Reconfig
cat <<'EXE'| sudo bash
if [ -x "$(command -v curl)" ];then
export HAPROXY_ETC_BASE=/etc/haproxy
bash <(curl -s 'https://cdn.chorke.org/exec/cli/bash/install/haproxy/1.0.0-ubuntu-24.04.sh.txt')
curl -fsSL https://cdn.chorke.org/exec/cli/bash/install/haproxy/1.0.0-ubuntu-24.04.sh.txt|tee ${HAPROXY_ETC_BASE}/proxy-scripts/reconfig >/dev/null
chmod u+x ${HAPROXY_ETC_BASE}/proxy-scripts/reconfig
else printf 'curl \033[0;31mnot found! \033[0m:(\n';fi
EXE
HAProxy » Defaults
cat <<'EXE'| sudo bash
mkdir -p /etc/letsencrypt/live/
curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt|tee /etc/letsencrypt/live/ffdhe2048.pem >/dev/null
EXE
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/global.cfg >/dev/null
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
CFG
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/default-ssl.cfg >/dev/null
# default ssl material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# generated 2025-06-18, Mozilla Guideline v5.7, HAProxy 2.8.5, OpenSSL 3.0.13, intermediate config
# see: https://ssl-config.mozilla.org/#server=haproxy&version=2.8.5&config=intermediate&openssl=3.0.13&guideline=5.7
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-curves X25519:prime256v1:secp384r1
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
# curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt|sudo tee /etc/letsencrypt/live/ffdhe2048.pem >/dev/null
ssl-dh-param-file /etc/letsencrypt/live/ffdhe2048.pem
CFG
cat <<'CFG'| sudo tee /etc/haproxy/proxy-default/default-http.cfg >/dev/null
defaults
log global
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
CFG
HAProxy » Frontend » HTTP
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg >/dev/null
# ##############################################################################
# http frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend fnt_shahed_biz
bind *:80
mode http
acl path-is-acme-challenge path_beg /.well-known/acme-challenge/
http-request redirect scheme https code 301 unless path-is-acme-challenge
use_backend bck_letsencrypt_org_acme_challenge if path-is-acme-challenge
default_backend bck_letsencrypt_org_acme_challenge
backend bck_letsencrypt_org_acme_challenge
server letsencrypt 127.0.0.1:19830
mode http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-http-all.cfg /etc/haproxy/proxy-enabled/
HAProxy » Frontend » HTTPS
certbot certonly --standalone --non-interactive --http-01-port=19830 -d cid.chorke.org --email tool.tech@shahed.biz --agree-tos --dry-run
certbot certonly --standalone --non-interactive --http-01-port=19830 -d cid.chorke.org --email tool.tech@shahed.biz --agree-tos
(cd /etc/letsencrypt/live/cid.chorke.org/;ln -s privkey.pem fullchain.pem.key)
certbot renew --http-01-port=19830
certbot certonly --standalone --non-interactive --http-01-port=19830 -d dev.chorke.org --dry-run
certbot certonly --standalone --non-interactive --http-01-port=19830 -d dev.chorke.org
(cd /etc/letsencrypt/live/dev.chorke.org/;ln -s privkey.pem fullchain.pem.key)
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null
# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend fnt_shahed_biz_ssl
bind *:443 ssl crt /etc/letsencrypt/live/cid.chorke.org/fullchain.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
bind *:443 ssl crt /etc/letsencrypt/live/dev.chorke.org/fullchain.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
mode http
acl host-is-cid-shahed-biz hdr(host) -i cid.chorke.org
acl host-is-dev-shahed-biz hdr(host) -i dev.chorke.org
acl path-is-artifactory path_beg /artifactory
acl path-is-jenkins path_beg /jenkins
acl path-is-gitlab path_beg /gitlab
acl path-is-nexus path_beg /nexus
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Proto https
use_backend bck_shahed_biz_cid_artifactory if host-is-cid-shahed-biz path-is-artifactory
use_backend bck_shahed_biz_cid_jenkins if host-is-cid-shahed-biz path-is-jenkins
use_backend bck_shahed_biz_cid_gitlab if host-is-cid-shahed-biz path-is-gitlab
use_backend bck_shahed_biz_cid_nexus if host-is-cid-shahed-biz path-is-nexus
default_backend bck_shahed_biz_cid
backend bck_shahed_biz_cid_artifactory
server shahed_ah_artifactory 10.20.40.8:8084
mode http
backend bck_shahed_biz_cid_jenkins
server shahed_ah_jenkins 10.20.40.8:8080
mode http
backend bck_shahed_biz_cid_gitlab
server shahed_af_gitlab 10.20.40.6:80
mode http
backend bck_shahed_biz_cid_nexus
server shahed_ah_nexus 10.20.40.8:8081
mode http
backend bck_shahed_biz_cid
server shahed_am_apache2 10.20.40.13:80
mode http
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg /etc/haproxy/proxy-enabled/
HAProxy » Frontend » TCP » VPN
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg >/dev/null
# ##############################################################################
# tcp frontend config for vpn.shahed.biz:1194
# this config added by chorke academia, inc
# udp mode not supported, please go with iptables forward
# cat <<'EXE'| sudo bash
# echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
# echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
# apt-get -y install iptables-persistent && apt-get clean cache
# EXE
# cat <<'EXE'| sudo bash
# iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 10.20.40.9:1194
# iptables -A FORWARD -p udp -d 10.20.40.9 --dport 1194 -j ACCEPT
# EXE
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-vpn.cfg /etc/haproxy/proxy-enabled/
HAProxy » Frontend » TCP » Git
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg >/dev/null
# ##############################################################################
# tcp frontend config for git.shahed.biz:4321
# this config added by chorke academia, inc
frontend fnt_shahed_biz_git_gitlab_ssh
bind *:4321
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_git_gitlab_ssh
backend bck_shahed_biz_git_gitlab_ssh
server shahed_af_gitlab 10.20.40.6:4321 check
mode tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-git.cfg /etc/haproxy/proxy-enabled/
HAProxy » Frontend » TCP » Mail
|
HAProxy » Frontend » TCP » Mail |
|---|
cat <<'CFG'| sudo tee /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg >/dev/null
# ##############################################################################
# tcp frontend config for mail.shahed.biz:25,587,110,995,143,993,465,4190
# this config added by chorke academia, inc
# haproxy: mail.shahed.biz:25
frontend fnt_shahed_biz_mail_smtp_25
bind *:25
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_mail_smtp_25
backend bck_shahed_biz_mail_smtp_25
server shahed_va 10.20.40.200:25
mode tcp
# haproxy: mail.shahed.biz:587
frontend fnt_shahed_biz_mail_smtp_587
bind *:587
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_mail_smtp_587
backend bck_shahed_biz_mail_smtp_587
server shahed_va 10.20.40.200:587
mode tcp
# haproxy: mail.shahed.biz:110
frontend fnt_shahed_biz_mail_pop3_110
bind *:110
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_mail_pop3_110
backend bck_shahed_biz_mail_pop3_110
server shahed_va 10.20.40.200:110
mode tcp
# haproxy: mail.shahed.biz:995
frontend fnt_shahed_biz_mail_pop3_995
bind *:995
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_mail_pop3_995
backend bck_shahed_biz_mail_pop3_995
server shahed_va 10.20.40.200:995
mode tcp
# haproxy: mail.shahed.biz:143
frontend fnt_shahed_biz_mail_imap_143
bind *:143
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_mail_imap_143
backend bck_shahed_biz_mail_imap_143
server shahed_va 10.20.40.200:143
mode tcp
# haproxy: mail.shahed.biz:993
frontend fnt_shahed_biz_mail_imap_993
bind *:993
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_mail_imap_993
backend bck_shahed_biz_mail_imap_993
server shahed_va 10.20.40.200:993
mode tcp
# haproxy: mail.shahed.biz:465
frontend fnt_shahed_biz_mail_smtps_465
bind *:465
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_mail_smtps_465
backend bck_shahed_biz_mail_smtps_465
server shahed_va 10.20.40.200:465
mode tcp
# haproxy: mail.shahed.biz:4190
frontend fnt_shahed_biz_mail_sieve_4190
bind *:4190
mode tcp
option tcplog
option dontlognull
default_backend bck_shahed_biz_mail_sieve_4190
backend bck_shahed_biz_mail_sieve_4190
server shahed_va 10.20.40.200:4190
mode tcp
CFG
sudo ln -s /etc/haproxy/proxy-configs/shahed.biz-tcp-mail.cfg /etc/haproxy/proxy-enabled/
|
HAProxy » Frontend » Reconfigure
cat <<'EXE'| sudo bash
/etc/haproxy/proxy-scripts/reconfig
ls -alh /etc/haproxy/{haproxy.cfg,proxy-{backups,configs,default,enabled,scripts}}
EXE
nmap --reason mail.shahed.biz -sT -Pn -p25,587,110,995,143,993,465,4190
nmap --reason mail.shahed.biz -sT -Pn --top 20
nmap --reason git.shahed.biz -sT -Pn -p4321
nmap --reason vpn.shahed.biz -sT -Pn -p1194
sudo nmap --reason vpn.shahed.biz -sU -Pn -p1194