mirror of
https://codeberg.org/Codeberg/pages-server.git
synced 2025-04-25 06:16:58 +00:00
Add proof of concept for SNI-based routing through HAProxy
This commit is contained in:
Moritz Marquardt
parent
2e0608c270
commit
b54f9df4c5
12 changed files with 234 additions and 0 deletions
98
haproxy-sni/haproxy.cfg
Normal file
98
haproxy-sni/haproxy.cfg
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
#####################################
|
||||
## Global Configuration & Defaults ##
|
||||
#####################################
|
||||
|
||||
global
|
||||
log stderr format iso local7
|
||||
|
||||
# generated 2021-06-05, Mozilla Guideline v5.6, HAProxy 2.1, OpenSSL 1.1.1d, intermediate configuration
|
||||
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.1d&guideline=5.6
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
|
||||
ssl-dh-param-file /etc/ssl/dhparam.pem
|
||||
|
||||
defaults
|
||||
log global
|
||||
timeout connect 30000
|
||||
timeout check 300000
|
||||
timeout client 300000
|
||||
timeout server 300000
|
||||
|
||||
############################################################################
|
||||
## Frontends: HTTP; HTTPS → HTTPS SNI-based; HTTPS → HTTP(S) header-based ##
|
||||
############################################################################
|
||||
|
||||
frontend http_redirect_frontend
|
||||
# HTTP backend to redirect everything to HTTPS
|
||||
bind :::80 v4v6
|
||||
mode http
|
||||
http-request redirect scheme https
|
||||
|
||||
frontend https_sni_frontend
|
||||
# TCP backend to forward to HTTPS backends based on SNI
|
||||
bind :::443 v4v6
|
||||
mode tcp
|
||||
|
||||
# Wait up to 5s for a SNI header & only accept TLS connections
|
||||
tcp-request inspect-delay 5s
|
||||
tcp-request content capture req.ssl_sni len 255
|
||||
log-format "%ci:%cp -> %[capture.req.hdr(0)] @ %f (%fi:%fp) -> %b (%bi:%bp)"
|
||||
tcp-request content accept if { req.ssl_hello_type 1 }
|
||||
|
||||
###################################################
|
||||
## Rules: forward to HTTPS(S) header-based rules ##
|
||||
###################################################
|
||||
acl use_http_backend req.ssl_sni -i "codeberg.org"
|
||||
acl use_http_backend req.ssl_sni -i "join.codeberg.org"
|
||||
use_backend https_termination_backend if use_http_backend
|
||||
|
||||
############################
|
||||
## Rules: HTTPS SNI-based ##
|
||||
############################
|
||||
# use_backend xyz_backend if { req.ssl_sni -i "xyz" }
|
||||
default_backend pages_backend
|
||||
|
||||
frontend https_termination_frontend
|
||||
# Terminate TLS for HTTP backends
|
||||
bind /tmp/haproxy-tls-termination.sock accept-proxy ssl strict-sni alpn h2,http/1.1 crt /etc/ssl/private/haproxy/
|
||||
mode http
|
||||
|
||||
# HSTS (63072000 seconds)
|
||||
http-response set-header Strict-Transport-Security max-age=63072000
|
||||
|
||||
http-request capture req.hdr(Host) len 255
|
||||
log-format "%ci:%cp -> %[capture.req.hdr(0)] @ %f (%fi:%fp) -> %b (%bi:%bp)"
|
||||
|
||||
##################################
|
||||
## Rules: HTTPS(S) header-based ##
|
||||
##################################
|
||||
use_backend gitea_backend if { hdr(host) -i codeberg.org }
|
||||
|
||||
backend https_termination_backend
|
||||
# Redirect to the terminating HTTPS frontend for all HTTP backends
|
||||
server https_termination_server /tmp/haproxy-tls-termination.sock send-proxy-v2-ssl-cn
|
||||
mode tcp
|
||||
|
||||
###############################
|
||||
## Backends: HTTPS SNI-based ##
|
||||
###############################
|
||||
|
||||
backend pages_backend
|
||||
# Pages server is a HTTP backend that uses its own certificates for custom domains
|
||||
server pages_server pages:443
|
||||
mode tcp
|
||||
|
||||
####################################
|
||||
## Backends: HTTP(S) header-based ##
|
||||
####################################
|
||||
|
||||
backend gitea_backend
|
||||
server gitea_server gitea:80
|
||||
mode http
|
||||
Loading…
Add table
Add a link
Reference in a new issue