The following is an example configuration file that performs SSL/TLS securely (this can be verified through tools such as Qualys's SSL Server Tester):
global
daemon
maxconn 4000
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m
log 127.0.0.1 local2 notice
user haproxy
group haproxy
daemon
# Disable SSLv3 and Stateless Session Resumption (
ssl-default-bind-options no-sslv3 no-tls-tickets
# Explicitly define the available ciphers available for use with the server
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
# Ensure DH key size is 2048!
tune.ssl.default-dh-param 2048
defaults
log global
mode http
# Useful when long-lived sessions (e.g. mixed HTTP and WebSocket conneciton)
timeout tunnel 1h
# Amount of time before connection request is dropped
timeout connect 5000ms
# Amount of time before the connection is dropped while ewaiting for half-closed connection to finish
timeout client-fin 50000ms
# Amount of time before connection is dropped when waiting for client data response
timeout client 50000ms
# Amount of time before connection is dropped when waiting for server to reply.
timeout server 50000ms
# Amount of time before http-request should be completed
timeout http-request 15s
# Ensure the backend server connection is closed when request has completed - but leave client connection intact
http-server-close
# Enable HTTP logging
option httplog
# Ensure we do not log null / empty requests
option dontlognull
# Insert forward-for header into request to preserve origin ip
option forwardfor
# Error pages ln -s /usr/share/haproxy/ /etc/haproxy/errors
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend https-in
bind *:80
# SSL binding and certs
bind *:443 ssl crt /etc/haproxy/ssl/bundle.crt
# Redirect any HTTP traffic to HTTPS
redirect scheme https if !{ ssl_fc }
log global
default_backend webserver_pool
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff
backend webserver_pool
mode http
log global
balance source
cookie SERVERID insert indirect nocache
# Perform get request
option httpchk GET /WebApp/GetStatus.php
# Check whether response is 200 / OK
http-check expect status 200
server serverA 10.0.0.1:80 check cookie serverA inter 5000 downinter 500
server serverB 10.0.1.1:80 check cookie serverB inter 5000 downinter 500
server serverB 10.1.1.1:80 check cookie serverB inter 5000 downinter 500
No comments:
Post a Comment