CyberMind-FR
04908fc414
CrowdSec: - Change LAPI default port from 8080 to 8180 (avoid Docker conflict) - Update bouncer config, init script, and RPCD dashboard - Fix port detection hex value (1FF4 for 8180) Streamlit: - Complete rewrite with folder-based app structure - Multi-instance support (multiple apps on different ports) - Gitea integration (clone, pull, setup commands) - Auto-install requirements.txt with hash-based caching HexoJS: - Multi-instance support with folder structure - Multiple blog instances on different ports HAProxy: - Auto-generate fallback backends (luci, apps, default_luci) - Add --server letsencrypt to ACME commands Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
77 lines
2.1 KiB
INI
77 lines
2.1 KiB
INI
# HAProxy Default Configuration Template
|
|
# This file is used as a base when generating haproxy.cfg
|
|
|
|
global
|
|
log stdout format raw local0
|
|
maxconn 4096
|
|
stats socket /var/run/haproxy.sock mode 660 level admin expose-fd listeners
|
|
stats timeout 30s
|
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
defaults
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
option forwardfor
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
timeout http-request 10s
|
|
timeout http-keep-alive 10s
|
|
retries 3
|
|
|
|
# Stats frontend - enable monitoring
|
|
frontend stats
|
|
bind *:8404
|
|
mode http
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats auth admin:secubox
|
|
stats admin if TRUE
|
|
|
|
# HTTP frontend - catch all port 80 traffic
|
|
frontend http-in
|
|
bind *:80
|
|
mode http
|
|
|
|
# ACME challenge handling
|
|
acl is_acme path_beg /.well-known/acme-challenge/
|
|
use_backend acme if is_acme
|
|
|
|
# Default: redirect to HTTPS
|
|
http-request redirect scheme https code 301 unless is_acme
|
|
default_backend default_luci
|
|
|
|
# HTTPS frontend - SSL termination
|
|
frontend https-in
|
|
bind *:443 ssl crt /opt/haproxy/certs/ alpn h2,http/1.1
|
|
mode http
|
|
|
|
# Security headers
|
|
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
http-response set-header X-Content-Type-Options nosniff
|
|
http-response set-header X-Frame-Options SAMEORIGIN
|
|
|
|
# Forward real IP
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-request set-header X-Real-IP %[src]
|
|
http-request set-header X-Forwarded-For %[src]
|
|
|
|
default_backend default_luci
|
|
|
|
# ACME challenge backend
|
|
backend acme
|
|
mode http
|
|
server acme 127.0.0.1:8080 check
|
|
|
|
# Default LuCI backend - routes to uhttpd
|
|
backend default_luci
|
|
mode http
|
|
balance roundrobin
|
|
server luci 192.168.255.1:8081 check
|