lumin/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
homelab/roles/haproxy/files/haproxy.cfg

250 lines
8 KiB
INI
Raw Blame History

global
log /dev/stderr local0 warning
user haproxy
group haproxy
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option forwardfor
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
default-server init-addr last,libc,none
frontend http
mode http
bind :80
acl has_domain hdr_sub(host) -i comfycamp.space
http-request redirect scheme https if !{ ssl_fc } has_domain
http-request set-header X-Forwarded-Proto http
acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion
acl path_streaming_api path_beg /api/v1/streaming
use_backend mastodon_streaming if host_mastodon_tor path_streaming_api
use_backend mastodon if host_mastodon_tor
acl host_peertube_tor hdr(host) -i vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion
use_backend peertube if host_peertube_tor
acl host_comfycamp_tor hdr(host) -i comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion
use_backend comfycamp if host_comfycamp_tor
frontend https
mode http
bind :443 ssl crt /usr/local/etc/haproxy/certs
http-request set-header X-Forwarded-Proto https
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
acl host_mastodon hdr(host) -i m.comfycamp.space
acl path_streaming_api path_beg /api/v1/streaming
use_backend mastodon_streaming if host_mastodon path_streaming_api
use_backend mastodon if host_mastodon
acl host_xmpp hdr(host) -i xmpp.comfycamp.space
acl host_xmpp_uploads hdr(host) -i upload.comfycamp.space
use_backend prosody if host_xmpp || host_xmpp_uploads
acl host_matrix hdr(host) -i matrix.comfycamp.space matrix.comfycamp.space:443
acl path_matrix path_beg /_matrix
acl path_matrix path_beg /_synapse/client
use_backend matrix if host_matrix path_matrix
acl host_s3 hdr(host) -i s3.comfycamp.space
use_backend minio if host_s3
acl host_peertube hdr(host) -i v.comfycamp.space
use_backend peertube if host_peertube
acl host_authentik hdr(host) -i auth.comfycamp.space
use_backend authentik if host_authentik
acl host_nextcloud hdr(host) -i nc.comfycamp.space
acl url_discovery path /.well-known/caldav /.well-known/carddav
http-request redirect location /remote.php/dav/ code 301 if host_nextcloud url_discovery
acl path_well_known path_beg /.well-known
http-request redirect location /index.php%[capture.req.uri] if host_nextcloud path_well_known
use_backend nextcloud if host_nextcloud
acl host_immich hdr(host) -i i.comfycamp.space
use_backend immich if host_immich
acl host_comfycamp hdr(host) -i comfycamp.space
use_backend comfycamp if host_comfycamp
acl host_vaultwarden hdr(host) -i vault.comfycamp.space
use_backend vaultwarden if host_vaultwarden
acl host_minio hdr(host) -i minio.comfycamp.space
use_backend minio_console if host_minio
acl host_git hdr(host) -i git.comfycamp.space
use_backend forgejo if host_git
acl host_uptime hdr(host) -i uptime.comfycamp.space
use_backend uptime_kuma if host_uptime
acl host_jellyfin hdr(host) -i jf.comfycamp.space
use_backend jellyfin if host_jellyfin
acl host_freshrss hdr(host) -i rss.comfycamp.space
use_backend freshrss if host_freshrss
acl host_ai hdr(host) -i ai.comfycamp.space
use_backend openwebui if host_ai
acl host_grafana hdr(host) -i grafana.comfycamp.space
use_backend grafana if host_grafana
acl host_phoenix hdr(host) -i ph.comfycamp.space
use_backend phoenix if host_phoenix
acl host_archivebox hdr(host) -i archive.comfycamp.space
use_backend archivebox if host_archivebox
acl host_mta_sts hdr(host) -i mta-sts.comfycamp.space
use_backend mta_sts if host_mta_sts
frontend matrix-federation
bind :8448 ssl crt /usr/local/etc/haproxy/certs
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
default_backend matrix
frontend authentik_ldap
mode tcp
bind *:389
default_backend authentik_ldap
backend comfycamp
mode http
option httpchk GET /health
http-check expect status 200
http-response set-header Onion-Location http://comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion%[capture.req.uri]
server s1 comfycamp:4000 check inter 15s
backend mastodon
mode http
option httpchk GET /health
http-check expect status 200
http-response set-header Referrer-Policy same-origin
http-response set-header Onion-Location http://mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion%[capture.req.uri]
server s1 mastodon-web-1:3000 check inter 10s
server s2 mastodon-web-2:3000 check inter 10s
backend mastodon_streaming
mode http
option httpchk GET /api/v1/streaming/health
http-check expect status 200
option http-server-close
timeout tunnel 1h
server green mastodon-streaming:4000 check inter 10s
backend vaultwarden
mode http
server green vaultwarden:80 check
backend minio_console
mode http
server green minio:9001 check
backend minio
mode http
http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space
server green minio:9000 check
backend forgejo
mode http
server green forgejo:3000 check
backend matrix
mode http
server matrix synapse:8008 check
backend grafana
mode http
server grafana grafana:3000 check
backend peertube
mode http
option httpchk GET /.well-known/nodeinfo
http-response set-header Onion-Location http://vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion%[capture.req.uri]
server s1 peertube:9000 check inter 15s
backend authentik
mode http
option httpchk GET /-/health/live/
http-check expect status 200
server s1 authentik-1:9000 check inter 10s
server s2 authentik-2:9000 check inter 10s
backend authentik_ldap
mode tcp
option httpchk
http-check connect port 9300
http-check send meth GET uri /outpost.goauthentik.io/ping
http-check expect status 204
server s1 authentik-ldap-1:3389 check inter 10s
server s2 authentik-ldap-2:3389 check inter 10s
backend nextcloud
mode http
option httpchk
http-check send meth GET uri /status.php hdr Host nc.comfycamp.space
http-check expect status 200
cookie SERVER insert indirect nocache
server s1 nextcloud-1:80 check inter 15s cookie s1
server s2 nextcloud-2:80 check inter 15s cookie s2
backend mta_sts
mode http
server s1 mta-sts-1:8080 check
backend jellyfin
mode http
server s1 jellyfin:8096 check
backend prosody
mode http
option http-server-close
timeout tunnel 1h
server s1 prosody:5280 check
backend immich
mode http
option http-server-close
timeout tunnel 1h
server s1 immich-1:2283 check
backend archivebox
server s1 archivebox-1:8000 check
backend freshrss
server s1 freshrss-1:80 check
backend phoenix
server s1 phoenix-1:8080 check
backend uptime_kuma
server s1 uptime-kuma-1:3001 check
backend openwebui
server s1 open-webui-1:8080
Reference in a new issue View git blame Copy permalink