Initial commit

2019-07-18 13:48:30 -04:00 · 2019-07-18 13:48:30 -04:00 · 9d95087809
commit 9d95087809
1 changed files with 92 additions and 0 deletions
--- a/haproxy.cfg
+++ b/haproxy.cfg
@ -0,0 +1,92 @@
+global
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+
+        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
+        # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
+        # set default parameters to the intermediate configuration
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+        ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+defaults
+#       enables tcplog so disabled
+#       log     global
+        mode    http
+#       option  httplog
+        option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+# HTTP (port 80)
+frontend http-in
+        bind 209.141.34.95:80
+	bind [2605:6400:20:e6d::1]:80
+	mode http
+        reqadd X-Forwarded-Proto:\ http
+
+        use_backend letsencrypt if { path_beg -i /.well-known/acme-challenge }
+
+        default_backend redirect-to-https
+
+backend redirect-to-https
+	mode http
+        redirect scheme https if !{ ssl_fc }
+
+backend letsencrypt
+	mode http
+        server letsencrypt-http 127.0.0.1:12345 verify none
+
+# TCP LB (443)
+frontend 443-in
+	bind 209.141.34.95:443 tfo ssl crt /etc/haproxy/certs
+	bind [2605:6400:20:e6d::1]:443 tfo ssl crt /etc/haproxy/certs
+	bind 198.251.90.114:443 tfo ssl crt /etc/haproxy/certs
+	mode http
+
+	use_backend nginx
+
+backend nginx
+	server nginx 127.0.0.1:80 verify none
+
+# TCP LB (853)
+frontend 853-in
+	bind 209.141.34.95:853 tfo ssl crt /etc/haproxy/certs
+	bind [2605:6400:20:e6d::1]:853 tfo ssl crt /etc/haproxy/certs
+	mode tcp
+
+	# DoT
+	use_backend dns-uncensored if { ssl_fc_sni uncensored.lv1.dns.nixnet.xyz }
+	use_backend dns-adblock if { ssl_fc_sni adblock.lv1.dns.nixnet.xyz }
+
+frontend 853ac-in
+	bind 198.251.90.114:443 tfo ssl crt /etc/haproxy/certs
+	mode tcp
+
+	# DoT
+	use_backend dns-uncensored if { ssl_fc_sni uncensored.any.dns.nixnet.xyz }
+	use_backend dns-adblock if { ssl_fc_sni adblock.any.dns.nixnet.xyz }
+
+# DoT backends
+backend dns-uncensored
+	mode tcp
+	server unbound 127.0.0.1:53 check
+
+backend dns-adblock
+	mode tcp
+	server adguard 176.103.130.130:53 check