library/haproxy/1.8-alpine/config/60.frontend.cfg

52 lines
2.0 KiB
INI
Raw Permalink Normal View History

2018-10-27 03:58:37 +00:00
frontend www-http
bind *:80
# Required variables from the request
http-request set-var(req.path) path
# # http-sites-map ACLs
# acl http-sites-acl req.hdr(host),lower,map_beg(/etc/haproxy/sites/http-sites.map) -m found
# https-sites-map ACLs
acl https-sites-acl req.hdr(host),lower,map_beg(/etc/haproxy/sites/https-sites.map) -m found
# # Required ACLs
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
# Normal requests should get secured
redirect scheme https code 301 if !letsencrypt-acl https-sites-acl
#redirect scheme https code 301 if https-sites-acl
# # Redirect ACME requests to certbot
use_backend site-http:default if letsencrypt-acl
# Redirect HTTP requests to http site
use_backend %[req.hdr(host),lower,map(/etc/haproxy/sites/http-sites.map,site-http:default)]
default_backend site-http:default
frontend www-https
# BEFORE BIND HOOK
bind :443 ssl strict-sni crt-list /etc/haproxy/ssl/crt-list.txt
# AFTER BIND HOOK
# Standard headers to inform app about inverse proxy status
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Host %[req.hdr(host)]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Real-IP %[src]
# AFTER WWW HOOK
use_backend %[req.hdr(host),lower,map(/etc/haproxy/sites/https-sites.map,site-http:default)]