global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options) # set default parameters to the intermediate configuration ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets defaults # enables tcplog so disabled # log global mode http # option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http # HTTP (port 80) frontend http-in bind 209.141.34.95:80 bind [2605:6400:20:e6d::1]:80 mode http reqadd X-Forwarded-Proto:\ http http-response set-header X-Frontend lv1 use_backend letsencrypt if { path_beg -i /.well-known/acme-challenge } default_backend redirect-to-https backend redirect-to-https mode http redirect scheme https if !{ ssl_fc } backend letsencrypt mode http server letsencrypt-http 127.0.0.1:12345 verify none # HTTP (port 80, anycast) frontend http-ac-in bind 198.251.90.114:80 bind 198.251.90.89:80 mode http reqadd X-Forwarded-Proto:\ http http-response set-header X-Frontend lv1 use_backend letsencrypt-lv1 if { path_beg -i /.well-known/acme-challenge } default_backend redirect-to-https backend letsencrypt-lv1 mode http server letsencrypt-http 10.250.66.2:12345 verify none # TCP LB (443) frontend 443-in bind 209.141.34.95:443 tfo ssl crt /etc/haproxy/certs bind [2605:6400:20:e6d::1]:443 tfo ssl crt /etc/haproxy/certs bind 198.251.90.114:443 tfo ssl crt /etc/haproxy/certs/uncensored.any.dns.nixnet.xyz.pem bind 198.251.90.89:443 tfo ssl crt /etc/haproxy/certs/uncensored.any.dns.nixnet.xyz.pem mode http http-response set-header X-Frontend lv1 use_backend check if { path /check } use_backend doh-uncensored if { hdr(host) -i uncensored.any.dns.nixnet.xyz } use_backend doh-adblock if { hdr(host) -i adblock.any.dns.nixnet.xyz } use_backend doh-uncensored if { hdr(host) -i uncensored.lux1.dns.nixnet.xyz } use_backend doh-adblock if { hdr(host) -i adblock.lux1.dns.nixnet.xyz } # default_backend nginx backend check mode http errorfile 503 /home/amolith/nixnet-dns/anycast.http backend nginx server nginx 127.0.0.1:80 verify none # TCP LB (853) frontend 853-in bind 209.141.34.95:853 tfo ssl crt /etc/haproxy/certs bind [2605:6400:20:e6d::1]:853 tfo ssl crt /etc/haproxy/certs mode tcp # DoT use_backend dns-uncensored if { ssl_fc_sni uncensored.lv1.dns.nixnet.xyz } use_backend dns-adblock if { ssl_fc_sni adblock.lv1.dns.nixnet.xyz } frontend 853ac-in bind 198.251.90.114:853 tfo ssl crt /etc/haproxy/certs/uncensored.any.dns.nixnet.xyz.pem bind 198.251.90.89:853 tfo ssl crt /etc/haproxy/certs/uncensored.any.dns.nixnet.xyz.pem mode tcp # DoT use_backend dns-uncensored if { ssl_fc_sni uncensored.any.dns.nixnet.xyz } use_backend dns-adblock if { ssl_fc_sni adblock.any.dns.nixnet.xyz } # DoT backends backend dns-uncensored mode tcp server unbound 127.0.0.1:53 check backend dns-adblock mode tcp server pihole 198.251.90.89:53 check # DoH backends backend doh-uncensored mode http server doh-uncensored 127.0.0.1:8053 check backend doh-adblock mode http server doh-adblock 127.0.0.1:8054 check