global # use systemd for collecting logs log stdout len 2048 format raw daemon nbthread {{cores}} chroot /var/lib/haproxy # socket ... expose-fd listeners - not sure this is still required # https://www.haproxy.com/documentation/haproxy-configuration-manual/3-1r1/#5.1-expose-fd%20listeners stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # https://www.haproxy.com/blog/encoding-haproxy-logs-in-machine-readable-json-or-cbor # https://www.haproxy.com/documentation/haproxy-configuration-manual/3-1r1/#8.2.6 # captured headers + shared + dev-only setenv HTTP_LOG_JSON "%{+json}o %(host)[capture.req.hdr(0)] %(x_request_id)[capture.req.hdr(1)] %(x-real-ip)[capture.req.hdr(2)] %(user-agent)[capture.req.hdr(3)] %(client_ip)ci %(client_port)cp %(request_date)tr %(status_code)ST %(http_request)r %(frontend)ft %(backend)b %(server)s %(time_request)TR %(time_wait)Tw %(time_connect)Tc %(time_response)Tr/%(time_active)Ta %(bytes_read)B %(ssl_sni)[ssl_fc_sni] %(ssl_ciphers)sslc %(ssl_version)sslv %(time_handshake)Th %(app_name)[str({{env}})]" #tune.bufsize 65536 #tune.maxrewrite 4096 #tune.http.maxhdr 8192 #tune.listener.multi-queue off # PFS key-exchange only ssl-default-bind-ciphers ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets ssl-dh-param-file /etc/haproxy/dhparms.pem #tune.ssl.default-dh-param 2048 #tune.ssl.cachesize 384000 defaults log global mode http #option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http maxconn 128000 #option dontlog-normal option forwardfor #option http-server-close #option logasap option tcp-smart-accept option tcp-smart-connect compression algo-req gzip raw-deflate compression algo-res gzip raw-deflate cache default_cache total-max-size 4 max-object-size 10000 max-age 240 process-vary on max-secondary-entries 12 frontend http bind *:80 alpn h2,http/1.1 http-response set-header Strict-Transport-Security "max-age=16000000;" capture request header host len 64 capture request header x-request-id len 64 capture request header x-real-ip len 15 capture request header user-agent len 64 log-format "${HTTP_LOG_JSON}" http-request cache-use default_cache http-response cache-store default_cache acl host_kc hdr(host) -i keycloak.nethence.com acl host_netbird hdr(host) -i netbird.nethence.com redirect scheme https code 301 if host_kc redirect scheme https code 301 if host_netbird frontend https bind *:443 ssl crt /etc/haproxy/certs/ proto h2 http-response set-header Strict-Transport-Security "max-age=16000000;" capture request header host len 64 capture request header x-request-id len 64 capture request header x-real-ip len 15 capture request header user-agent len 64 log-format "${HTTP_LOG_JSON}" http-request cache-use default_cache http-response cache-store default_cache acl host_kc hdr(host) -i keycloak.nethence.com acl host_netbird hdr(host) -i netbird.nethence.com acl netbird_mgmt_api path_beg -i /api acl netbird_mgmt_grpc path_beg -i /management acl netbird_signal_grpc path_beg -i /signalexchange use_backend netbird_signal_grpc if netbird_signal_grpc host_netbird use_backend netbird_mgmt_grpc if netbird_mgmt_grpc host_netbird use_backend netbird_mgmt_api if netbird_mgmt_api host_netbird use_backend netbird_dashboard if host_netbird use_backend kc-server if host_kc frontend https10k bind *:10000 ssl crt /etc/haproxy/certs/ proto h2 #http-response set-header Strict-Transport-Security "max-age=16000000;" http-request cache-use default_cache http-response cache-store default_cache capture request header host len 64 capture request header x-request-id len 64 capture request header x-real-ip len 15 capture request header user-agent len 64 log-format "${HTTP_LOG_JSON}" http-request cache-use default_cache http-response cache-store default_cache #acl host_netbird hdr(host) -i netbird.nethence.com #acl netbird_signal_grpc path_beg -i /signalexchange #use_backend netbird_signal_grpc if netbird_signal_grpc host_netbird default_backend netbird_signal_grpc # nmap -p 8081 -sV localhost -T5 backend kc-server #balance static-rr http-request set-header X-Forwarded-Proto https server keycloak 127.0.0.1:8081 check # nmap -p 8091 -sV localhost -T5 backend netbird_dashboard http-request set-header X-Forwarded-Proto https server netbird_dashboard 127.0.0.1:8091 check # nmap -p 8092 -sV localhost -T5 backend netbird_mgmt_api http-request set-header X-Forwarded-Proto https server netbird_mgmt_api 127.0.0.1:8092 check backend netbird_mgmt_grpc http-request set-header X-Forwarded-Proto https server netbird_mgmt_grpc 127.0.0.1:8092 check proto h2 # nmap -p 8093 -sV localhost -T5 backend netbird_signal_grpc http-request set-header X-Forwarded-Proto https server netbird_signal_grpc 127.0.0.1:8093 check proto h2