My HAProxy configuration

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000

    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

    # Newly added timeouts
    timeout http-request 10s
    timeout http-keep-alive 2s
    timeout queue 5s
    timeout tunnel 2m
    timeout client-fin 1s
    timeout server-fin 1s

# Caching
cache hosting
    total-max-size 4095   # MB
    max-object-size 10000 # bytes
    max-age 3600            # seconds

cache general
    total-max-size 4095   # MB
    max-object-size 10000 # bytes
    max-age 3600            # seconds

# HAProxy Stats
listen  stats
        bind *:1936
        log global

        maxconn 10

        stats enable
        stats show-node

        http-request use-service prometheus-exporter if { path /metrics }
        stats uri  /stats

userlist basic_auth_logins
        user <your_username_here> insecure-password <your_password_here>

# Frontend HTTP
frontend http
    bind :80
    mode http
    compression algo gzip

    acl acl_sentry hdr(host) -i sentry.jooservices.com
    acl acl_grafana hdr(host) -i grafana.jooservices.com
    
    use_backend be_sentry if acl_sentry
    use_backend be_grafana if acl_grafana
    #default_backend be_http

backend be_sentry
        mode http
        balance roundrobin
        server gitlab 192.168.1.12:9000 check

backend be_grafana
        mode http
        balance roundrobin
        server gitlab 192.168.1.12:3000 check


## Frontend SSL
frontend ssl
        bind :443
        mode tcp
        option tcplog

        # Wait for a client hello for at most 5 seconds
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        ## 192.168.1.2
        use_backend be_ssl_cnmatrix if { req_ssl_sni -i cnmatrix.jooservices.com }

        ## 192.168.1.3
        # use_backend be_ssl_unifi if { req_ssl_sni -i unifi.jooservices.com }

        ## 192.168.1.8
        use_backend be_ssl_nas if { req_ssl_sni -i nas.jooservices.com }

        ## 192.168.1.10
        use_backend be_ssl_esxi if { req_ssl_sni -i esxi.jooservices.com }

        ## 192.168.1.24
        use_backend be_ssl_gitlab if { req_ssl_sni -i gitlab.jooservices.com }
        
        ## Virtualmin / Webmin
        use_backend be_ssl_hosting_virtualmin if { req_ssl_sni -i virtualmin.jooservices.com }
        use_backend be_ssl_gatekeeper_webmin if { req_ssl_sni -i gatekeeper.jooservices.com }
        use_backend be_ssl_smb_webmin if { req_ssl_sni -i smb.jooservices.com }
        
        ## Hosting
        ## 192.168.1.20
        use_backend be_ssl_hosting if { req_ssl_sni -i jooservices.com } 
        use_backend be_ssl_hosting if { req_ssl_sni -m end tpbeauty.art baristaschool.vn .baristaschool.vn phongcachxanh.vn }
        #use_backend be_ssl_develop if { req_ssl_sni -m end coffeeschool.vn .coffeeschool.vn }

        ## XCrawler
        ## 192.168.1.30
        use_backend be_ssl_xcrawler if { req_ssl_sni -i xcrawler.net }
        use_backend be_ssl_xcrawler if { req_ssl_sni -m end .xcrawler.net }

        default_backend be_ssl_hosting


### CnMatrix
backend be_ssl_cnmatrix
        mode tcp
        balance roundrobin
        server cnmatrix 192.168.1.2:443 check

### Unifi
#backend be_ssl_unifi
#        mode tcp
#        balance roundrobin
#        server gatekeeper 192.168.1.3:443 check

# BEGIN Monitor
# END Monitor

# NAS
backend be_ssl_nas
        mode tcp
        balance roundrobin
        server smb 192.168.1.8:443 check

### BEGIN ESXi
        #### Gatekeeper
        backend be_ssl_gatekeeper_webmin
                mode tcp
                balance roundrobin
                server gatekeeper 192.168.1.9:10000 check

        #### ESXi
        backend be_ssl_esxi
                mode tcp
                balance roundrobin
                server esxi 192.168.1.10:443 check

        #### BEGIN Hosting
        backend be_ssl_hosting_virtualmin
                mode tcp
                balance roundrobin
                server hosting 192.168.1.20:10000 check

        backend be_ssl_hosting
                mode tcp
                balance roundrobin
                server hosting 192.168.1.20:443 check

        #backend be_ssl_develop
        #        mode tcp
        #        balance roundrobin
        #        server develop 192.168.1.12:443 check

        backend be_ssl_smb_webmin
                mode tcp
                balance roundrobin
                server smb 192.168.1.14:10000 check

        backend be_ssl_gitlab
                mode tcp
                balance roundrobin
                server hosting 192.168.1.24:443 check
          
# END Hosting


# BEGIN XCrawler
backend be_ssl_xcrawler
        mode tcp
        balance roundrobin
        server xcrawler 192.168.1.13:443 check
# END XCrawler

Leave a Reply

Your email address will not be published. Required fields are marked *