commit 9d950878094cc0056e466cd746ec9059ba6b3220 Author: sn0wb0i Date: Thu Jul 18 13:48:30 2019 -0400 Initial commit diff --git a/haproxy.cfg b/haproxy.cfg new file mode 100644 index 0000000..42eca0a --- /dev/null +++ b/haproxy.cfg @@ -0,0 +1,92 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern + # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options) + # set default parameters to the intermediate configuration + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +defaults +# enables tcplog so disabled +# log global + mode http +# option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +# HTTP (port 80) +frontend http-in + bind 209.141.34.95:80 + bind [2605:6400:20:e6d::1]:80 + mode http + reqadd X-Forwarded-Proto:\ http + + use_backend letsencrypt if { path_beg -i /.well-known/acme-challenge } + + default_backend redirect-to-https + +backend redirect-to-https + mode http + redirect scheme https if !{ ssl_fc } + +backend letsencrypt + mode http + server letsencrypt-http 127.0.0.1:12345 verify none + +# TCP LB (443) +frontend 443-in + bind 209.141.34.95:443 tfo ssl crt /etc/haproxy/certs + bind [2605:6400:20:e6d::1]:443 tfo ssl crt /etc/haproxy/certs + bind 198.251.90.114:443 tfo ssl crt /etc/haproxy/certs + mode http + + use_backend nginx + +backend nginx + server nginx 127.0.0.1:80 verify none + +# TCP LB (853) +frontend 853-in + bind 209.141.34.95:853 tfo ssl crt /etc/haproxy/certs + bind [2605:6400:20:e6d::1]:853 tfo ssl crt /etc/haproxy/certs + mode tcp + + # DoT + use_backend dns-uncensored if { ssl_fc_sni uncensored.lv1.dns.nixnet.xyz } + use_backend dns-adblock if { ssl_fc_sni adblock.lv1.dns.nixnet.xyz } + +frontend 853ac-in + bind 198.251.90.114:443 tfo ssl crt /etc/haproxy/certs + mode tcp + + # DoT + use_backend dns-uncensored if { ssl_fc_sni uncensored.any.dns.nixnet.xyz } + use_backend dns-adblock if { ssl_fc_sni adblock.any.dns.nixnet.xyz } + +# DoT backends +backend dns-uncensored + mode tcp + server unbound 127.0.0.1:53 check + +backend dns-adblock + mode tcp + server adguard 176.103.130.130:53 check