192 lines
6.3 KiB
INI
192 lines
6.3 KiB
INI
global
|
|
log /dev/stderr local0
|
|
log /dev/stderr local1 notice
|
|
user haproxy
|
|
group haproxy
|
|
|
|
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
errorfile 400 /usr/local/etc/haproxy/errors/400.http
|
|
errorfile 403 /usr/local/etc/haproxy/errors/403.http
|
|
errorfile 408 /usr/local/etc/haproxy/errors/408.http
|
|
errorfile 500 /usr/local/etc/haproxy/errors/500.http
|
|
errorfile 502 /usr/local/etc/haproxy/errors/502.http
|
|
errorfile 503 /usr/local/etc/haproxy/errors/503.http
|
|
errorfile 504 /usr/local/etc/haproxy/errors/504.http
|
|
|
|
frontend www
|
|
mode http
|
|
bind :80
|
|
bind :443 ssl crt /usr/local/etc/haproxy/certs
|
|
|
|
acl has_domain hdr_sub(host) -i comfycamp.space
|
|
|
|
http-request redirect scheme https if !{ ssl_fc } has_domain
|
|
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
|
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" if { ssl_fc } has_domain
|
|
|
|
acl host_mastodon hdr(host) -i m.comfycamp.space
|
|
acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion
|
|
acl path_streaming_api path_beg /api/v1/streaming
|
|
use_backend mastodon_streaming if host_mastodon path_streaming_api
|
|
use_backend mastodon_streaming if host_mastodon_tor path_streaming_api
|
|
use_backend mastodon if host_mastodon || host_mastodon_tor
|
|
|
|
acl host_xmpp hdr(host) -i xmpp.comfycamp.space
|
|
acl host_xmpp_uploads hdr(host) -i upload.comfycamp.space
|
|
use_backend prosody if host_xmpp || host_xmpp_uploads
|
|
|
|
acl host_matrix hdr(host) -i matrix.comfycamp.space matrix.comfycamp.space:443
|
|
acl path_matrix path_beg /_matrix
|
|
acl path_matrix path_beg /_synapse/client
|
|
use_backend matrix if host_matrix path_matrix
|
|
|
|
acl host_s3 hdr(host) -i s3.comfycamp.space
|
|
use_backend minio if host_s3
|
|
|
|
acl host_peertube hdr(host) -i v.comfycamp.space
|
|
acl host_peertube_tor hdr(host) -i vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion
|
|
use_backend peertube if host_peertube || host_peertube_tor
|
|
|
|
acl host_authentik hdr(host) -i auth.comfycamp.space
|
|
use_backend authentik if host_authentik
|
|
|
|
acl host_nextcloud hdr(host) -i nc.comfycamp.space
|
|
acl url_discovery path /.well-known/caldav /.well-known/carddav
|
|
http-request redirect location /remote.php/dav/ code 301 if host_nextcloud url_discovery
|
|
acl path_well_known path_beg /.well-known
|
|
http-request redirect location /index.php%[capture.req.uri] if host_nextcloud path_well_known
|
|
use_backend nextcloud if host_nextcloud
|
|
|
|
acl host_comfycamp hdr(host) -i comfycamp.space
|
|
acl host_comfycamp_tor hdr(host) -i comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion
|
|
use_backend comfycamp if host_comfycamp || host_comfycamp_tor
|
|
|
|
acl host_vaultwarden hdr(host) -i vault.comfycamp.space
|
|
use_backend vaultwarden if host_vaultwarden
|
|
|
|
acl host_minio hdr(host) -i minio.comfycamp.space
|
|
use_backend minio_console if host_minio
|
|
|
|
acl host_git hdr(host) -i git.comfycamp.space
|
|
use_backend forgejo if host_git
|
|
|
|
acl host_jellyfin hdr(host) -i jf.comfycamp.space
|
|
use_backend jellyfin if host_jellyfin
|
|
|
|
acl host_grafana hdr(host) -i grafana.comfycamp.space
|
|
use_backend grafana if host_grafana
|
|
|
|
acl host_mta_sts hdr(host) -i mta-sts.comfycamp.space
|
|
use_backend mta_sts if host_mta_sts
|
|
|
|
frontend matrix-federation
|
|
bind *:8448 ssl crt /usr/local/etc/haproxy/certs
|
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
|
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
|
|
|
|
default_backend matrix
|
|
|
|
frontend authentik_ldap
|
|
mode tcp
|
|
bind *:389
|
|
default_backend authentik_ldap
|
|
|
|
backend comfycamp
|
|
mode http
|
|
http-response set-header Onion-Location http://comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion%[capture.req.uri]
|
|
server green comfycamp:4000 check
|
|
|
|
backend mastodon
|
|
mode http
|
|
option forwardfor
|
|
http-response set-header Referrer-Policy same-origin
|
|
http-response set-header Onion-Location http://mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion%[capture.req.uri]
|
|
server s1 mastodon-web-1:3000 check
|
|
server s2 mastodon-web-2:3000 check
|
|
|
|
backend mastodon_streaming
|
|
mode http
|
|
option forwardfor
|
|
option http-server-close
|
|
timeout tunnel 1h
|
|
server green mastodon-streaming:4000 check
|
|
|
|
backend vaultwarden
|
|
mode http
|
|
option forwardfor
|
|
server green vaultwarden:80 check
|
|
|
|
backend minio_console
|
|
mode http
|
|
option forwardfor
|
|
server green minio:9001 check
|
|
|
|
backend minio
|
|
mode http
|
|
http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space
|
|
option forwardfor
|
|
server green minio:9000 check
|
|
|
|
backend forgejo
|
|
mode http
|
|
option forwardfor
|
|
server green forgejo:3000 check
|
|
|
|
backend matrix
|
|
mode http
|
|
option forwardfor
|
|
server matrix synapse:8008
|
|
|
|
backend grafana
|
|
mode http
|
|
server grafana grafana:3000
|
|
|
|
backend peertube
|
|
mode http
|
|
option forwardfor
|
|
http-response set-header Onion-Location http://vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion%[capture.req.uri]
|
|
server s1 peertube:9000
|
|
|
|
backend authentik
|
|
mode http
|
|
option forwardfor
|
|
server s1 authentik-1:9000 check
|
|
server s2 authentik-2:9000 check
|
|
|
|
backend authentik_ldap
|
|
mode tcp
|
|
server s1 authentik-ldap-1:3389 check
|
|
server s2 authentik-ldap-2:3389 check
|
|
|
|
backend nextcloud
|
|
mode http
|
|
option forwardfor
|
|
server s1 nextcloud-1:80 check
|
|
|
|
backend mta_sts
|
|
mode http
|
|
server s1 mta-sts-1:8080 check
|
|
|
|
backend jellyfin
|
|
mode http
|
|
server s1 jellyfin:8096 check
|
|
|
|
backend prosody
|
|
mode http
|
|
option forwardfor
|
|
option http-server-close
|
|
timeout tunnel 1h
|
|
server s1 prosody:5280 check
|