CyberMind-FR
b414ea3284
HTTP/2 multiplexing caused HAProxy's http_auth() to inconsistently evaluate auth rules, resulting in protected vhosts randomly returning 200 (bypass) or 401 (auth required). Disabled HTTP/2 ALPN negotiation (alpn h2,http/1.1 → alpn http/1.1) to ensure consistent HTTP Basic Auth behavior for protected sites. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
95 lines
2.6 KiB
INI
95 lines
2.6 KiB
INI
# HAProxy Default Configuration Template
|
|
# This file is used as a base when generating haproxy.cfg
|
|
|
|
global
|
|
log stdout format raw local0
|
|
maxconn 4096
|
|
stats socket /var/run/haproxy.sock mode 660 level admin expose-fd listeners
|
|
stats timeout 30s
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
defaults
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
option forwardfor
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
timeout http-request 10s
|
|
timeout http-keep-alive 10s
|
|
retries 3
|
|
|
|
# Stats frontend - enable monitoring
|
|
frontend stats
|
|
bind *:8404
|
|
mode http
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats auth admin:secubox
|
|
stats admin if TRUE
|
|
|
|
# HTTP frontend - catch all port 80 traffic
|
|
frontend http-in
|
|
bind *:80
|
|
mode http
|
|
|
|
# ACME challenge handling
|
|
acl is_acme path_beg /.well-known/acme-challenge/
|
|
use_backend acme if is_acme
|
|
|
|
# Default: redirect to HTTPS
|
|
http-request redirect scheme https code 301 unless is_acme
|
|
default_backend default_luci
|
|
|
|
# HTTPS frontend - SSL termination with multi-certificate SNI support
|
|
frontend https-in
|
|
bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn http/1.1
|
|
mode http
|
|
|
|
# Security headers
|
|
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
http-response set-header X-Content-Type-Options nosniff
|
|
http-response set-header X-Frame-Options SAMEORIGIN
|
|
|
|
# Forward real IP
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-request set-header X-Real-IP %[src]
|
|
http-request set-header X-Forwarded-For %[src]
|
|
|
|
# CyberMood.eu routing
|
|
acl is_cybermood hdr(host) -i cybermood.eu www.cybermood.eu
|
|
acl is_cybermood_presse hdr(host) -i presse.cybermood.eu
|
|
use_backend cybermood_web if is_cybermood
|
|
use_backend cybermood_presse if is_cybermood_presse
|
|
|
|
default_backend default_luci
|
|
|
|
# ACME challenge backend
|
|
backend acme
|
|
mode http
|
|
server acme 127.0.0.1:8080 check
|
|
|
|
# Default LuCI backend - routes to uhttpd
|
|
backend default_luci
|
|
mode http
|
|
balance roundrobin
|
|
server luci 192.168.255.1:8081 check
|
|
|
|
# CyberMood.eu backend
|
|
backend cybermood_web
|
|
mode http
|
|
balance roundrobin
|
|
server cybermood 192.168.255.1:4000 check
|
|
|
|
# CyberMood Presse backend
|
|
backend cybermood_presse
|
|
mode http
|
|
balance roundrobin
|
|
server cybermood-presse 192.168.255.1:4001 check
|