CyberMind-FR
f3fd676ad1
- Add secubox-app-haproxy: LXC-containerized HAProxy service
- Alpine Linux container with HAProxy
- Multi-certificate SSL/TLS termination with SNI routing
- ACME/Let's Encrypt auto-renewal
- Virtual hosts management
- Backend health checks and load balancing
- Add luci-app-haproxy: Full LuCI web interface
- Overview dashboard with service status
- Virtual hosts management with SSL options
- Backends and servers configuration
- SSL certificate management (ACME + import)
- ACLs and URL-based routing rules
- Statistics dashboard and logs
- Settings for ports, timeouts, ACME
- Update luci-app-secubox-portal:
- Add Services category with HAProxy, HexoJS, PicoBrew,
Tor Shield, Jellyfin, Home Assistant, AdGuard Home, Nextcloud
- Make portal dynamic - only shows installed apps
- Add empty state UI for sections with no apps
- Remove 404 errors for uninstalled apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
76 lines
2.0 KiB
INI
76 lines
2.0 KiB
INI
# HAProxy Default Configuration Template
|
|
# This file is used as a base when generating haproxy.cfg
|
|
|
|
global
|
|
log stdout format raw local0
|
|
maxconn 4096
|
|
stats socket /var/run/haproxy.sock mode 660 level admin expose-fd listeners
|
|
stats timeout 30s
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
defaults
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
option forwardfor
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
timeout http-request 10s
|
|
timeout http-keep-alive 10s
|
|
retries 3
|
|
|
|
# Stats frontend - enable monitoring
|
|
frontend stats
|
|
bind *:8404
|
|
mode http
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats auth admin:secubox
|
|
stats admin if TRUE
|
|
|
|
# HTTP frontend - catch all port 80 traffic
|
|
frontend http-in
|
|
bind *:80
|
|
mode http
|
|
|
|
# ACME challenge handling
|
|
acl is_acme path_beg /.well-known/acme-challenge/
|
|
use_backend acme if is_acme
|
|
|
|
# Default: redirect to HTTPS
|
|
http-request redirect scheme https code 301 unless is_acme
|
|
default_backend fallback
|
|
|
|
# HTTPS frontend - SSL termination
|
|
frontend https-in
|
|
bind *:443 ssl crt /opt/haproxy/certs/ alpn h2,http/1.1
|
|
mode http
|
|
|
|
# Security headers
|
|
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
http-response set-header X-Content-Type-Options nosniff
|
|
http-response set-header X-Frame-Options SAMEORIGIN
|
|
|
|
# Forward real IP
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-request set-header X-Real-IP %[src]
|
|
http-request set-header X-Forwarded-For %[src]
|
|
|
|
default_backend fallback
|
|
|
|
# ACME challenge backend
|
|
backend acme
|
|
mode http
|
|
server acme 127.0.0.1:8080 check
|
|
|
|
# Fallback backend
|
|
backend fallback
|
|
mode http
|
|
http-request deny deny_status 503
|