2019-07-18 17:48:30 +00:00
|
|
|
global
|
|
|
|
log /dev/log local0
|
|
|
|
log /dev/log local1 notice
|
|
|
|
chroot /var/lib/haproxy
|
|
|
|
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
|
|
|
stats timeout 30s
|
|
|
|
user haproxy
|
|
|
|
group haproxy
|
|
|
|
daemon
|
|
|
|
|
|
|
|
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
|
|
|
|
# If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
|
|
|
|
# set default parameters to the intermediate configuration
|
|
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
|
|
|
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
|
|
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
|
|
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
|
|
|
|
|
|
defaults
|
|
|
|
# enables tcplog so disabled
|
|
|
|
# log global
|
|
|
|
mode http
|
|
|
|
# option httplog
|
|
|
|
option dontlognull
|
|
|
|
timeout connect 5000
|
|
|
|
timeout client 50000
|
|
|
|
timeout server 50000
|
|
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
|
|
|
|
|
|
# HTTP (port 80)
|
|
|
|
frontend http-in
|
|
|
|
bind 209.141.34.95:80
|
|
|
|
bind [2605:6400:20:e6d::1]:80
|
|
|
|
mode http
|
|
|
|
reqadd X-Forwarded-Proto:\ http
|
|
|
|
|
2019-07-20 02:15:45 +00:00
|
|
|
http-response set-header X-Frontend lv1
|
|
|
|
|
2019-07-18 17:48:30 +00:00
|
|
|
use_backend letsencrypt if { path_beg -i /.well-known/acme-challenge }
|
|
|
|
|
|
|
|
default_backend redirect-to-https
|
|
|
|
|
|
|
|
backend redirect-to-https
|
|
|
|
mode http
|
|
|
|
redirect scheme https if !{ ssl_fc }
|
|
|
|
|
|
|
|
backend letsencrypt
|
|
|
|
mode http
|
|
|
|
server letsencrypt-http 127.0.0.1:12345 verify none
|
|
|
|
|
2019-07-20 02:11:52 +00:00
|
|
|
# HTTP (port 80, anycast)
|
|
|
|
frontend http-ac-in
|
|
|
|
bind 198.251.90.114:80
|
2019-08-27 18:23:55 +00:00
|
|
|
bind 198.251.90.89:80
|
2019-07-20 02:11:52 +00:00
|
|
|
mode http
|
|
|
|
reqadd X-Forwarded-Proto:\ http
|
|
|
|
|
2019-07-20 02:15:45 +00:00
|
|
|
http-response set-header X-Frontend lv1
|
|
|
|
|
2019-07-20 02:11:52 +00:00
|
|
|
use_backend letsencrypt-lv1 if { path_beg -i /.well-known/acme-challenge }
|
|
|
|
|
2019-07-20 02:42:05 +00:00
|
|
|
default_backend redirect-to-https
|
|
|
|
|
2019-07-20 02:11:52 +00:00
|
|
|
backend letsencrypt-lv1
|
|
|
|
mode http
|
|
|
|
server letsencrypt-http 10.250.66.2:12345 verify none
|
|
|
|
|
2019-07-18 17:48:30 +00:00
|
|
|
# TCP LB (443)
|
|
|
|
frontend 443-in
|
|
|
|
bind 209.141.34.95:443 tfo ssl crt /etc/haproxy/certs
|
|
|
|
bind [2605:6400:20:e6d::1]:443 tfo ssl crt /etc/haproxy/certs
|
2019-07-20 02:42:05 +00:00
|
|
|
bind 198.251.90.114:443 tfo ssl crt /etc/haproxy/certs/uncensored.any.dns.nixnet.xyz.pem
|
2019-08-27 18:23:55 +00:00
|
|
|
bind 198.251.90.89:443 tfo ssl crt /etc/haproxy/certs/uncensored.any.dns.nixnet.xyz.pem
|
2019-07-18 17:48:30 +00:00
|
|
|
mode http
|
|
|
|
|
2019-07-20 02:42:05 +00:00
|
|
|
http-response set-header X-Frontend lv1
|
|
|
|
|
|
|
|
use_backend check if { path /check }
|
|
|
|
|
2019-09-11 13:04:28 +00:00
|
|
|
use_backend doh-uncensored if { hdr(host) -i uncensored.any.dns.nixnet.xyz }
|
|
|
|
use_backend doh-adblock if { hdr(host) -i adblock.any.dns.nixnet.xyz }
|
|
|
|
|
|
|
|
use_backend doh-uncensored if { hdr(host) -i uncensored.lux1.dns.nixnet.xyz }
|
|
|
|
use_backend doh-adblock if { hdr(host) -i adblock.lux1.dns.nixnet.xyz }
|
|
|
|
|
2019-07-20 02:42:05 +00:00
|
|
|
# default_backend nginx
|
|
|
|
|
|
|
|
backend check
|
|
|
|
mode http
|
|
|
|
errorfile 503 /home/amolith/nixnet-dns/anycast.http
|
2019-07-18 17:48:30 +00:00
|
|
|
|
|
|
|
backend nginx
|
|
|
|
server nginx 127.0.0.1:80 verify none
|
|
|
|
|
|
|
|
# TCP LB (853)
|
|
|
|
frontend 853-in
|
|
|
|
bind 209.141.34.95:853 tfo ssl crt /etc/haproxy/certs
|
|
|
|
bind [2605:6400:20:e6d::1]:853 tfo ssl crt /etc/haproxy/certs
|
|
|
|
mode tcp
|
|
|
|
|
|
|
|
# DoT
|
|
|
|
use_backend dns-uncensored if { ssl_fc_sni uncensored.lv1.dns.nixnet.xyz }
|
|
|
|
use_backend dns-adblock if { ssl_fc_sni adblock.lv1.dns.nixnet.xyz }
|
|
|
|
|
|
|
|
frontend 853ac-in
|
2019-07-20 05:02:32 +00:00
|
|
|
bind 198.251.90.114:853 tfo ssl crt /etc/haproxy/certs/uncensored.any.dns.nixnet.xyz.pem
|
2019-08-27 18:23:55 +00:00
|
|
|
bind 198.251.90.89:853 tfo ssl crt /etc/haproxy/certs/uncensored.any.dns.nixnet.xyz.pem
|
2019-07-18 17:48:30 +00:00
|
|
|
mode tcp
|
|
|
|
|
|
|
|
# DoT
|
|
|
|
use_backend dns-uncensored if { ssl_fc_sni uncensored.any.dns.nixnet.xyz }
|
|
|
|
use_backend dns-adblock if { ssl_fc_sni adblock.any.dns.nixnet.xyz }
|
|
|
|
|
|
|
|
# DoT backends
|
|
|
|
backend dns-uncensored
|
|
|
|
mode tcp
|
|
|
|
server unbound 127.0.0.1:53 check
|
|
|
|
|
|
|
|
backend dns-adblock
|
|
|
|
mode tcp
|
2019-08-27 18:12:54 +00:00
|
|
|
server pihole 198.251.90.89:53 check
|
2019-09-11 13:04:28 +00:00
|
|
|
|
|
|
|
# DoH backends
|
|
|
|
backend doh-uncensored
|
|
|
|
mode http
|
|
|
|
server doh-uncensored 127.0.0.1:8053 check
|
|
|
|
|
|
|
|
backend doh-adblock
|
|
|
|
mode http
|
|
|
|
server doh-adblock 127.0.0.1:8054 check
|
|
|
|
|
|
|
|
|