Skip to content

Configuration de haproxy

Jump to bottom
b_b edited this page Jul 3, 2016 · 3 revisions

haproxy sert de passerelle pour traiter les certificats (ce qu'il fait plus rapidement que nginx). Il pourra ensuite être utilisé pour faire du Load Balancing, mais pour l'instant on n'en est pas là

/etc/haproxy/haproxy.cfg

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.5.14&openssl=1.4.3&hsts=yes&profile=intermediate
        # set default parameters to the intermediate configuration
        tune.ssl.default-dh-param 2048
        ssl-default-bind-options no-sslv3 no-tls-tickets
        ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
        ssl-default-server-options no-sslv3 no-tls-tickets

        tune.ssl.cachesize 100000 # Increase TLS session cache size and lifetime to avoid computing too many symmetric keys
        tune.ssl.lifetime 600
        tune.ssl.maxrecord 1460 # Set up a TLS record to match a TCP segment size, in order to improve client side rendering of content

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option  forwardfor              # Ajout de l'entete X-Forwarded-For
        http-reuse always               # Reduire la latence entre HAProxy & utilisateurs en fermant les connexions mais en les maintenant en keep-alive
        maxconn 2000                    # Attaques DDoS
        timeout connect 5s
        timeout client 30s
        timeout server 10s
        timeout http-request 5s         # Attaques slowloris
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen statistics
        bind *:8778
        mode http
        stats enable
        stats show-desc Statistiques sur Seenthis
        stats uri /
        stats realm Statistiques\ Haproxy
        stats auth haproxy:motdepassetressecret
        stats refresh 10s

frontend ssl-relay
        bind :443 ssl crt /etc/haproxy/cert/
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https
        default_backend webservername
        # HSTS (15768000 seconds = 6 months)
        rspadd  Strict-Transport-Security:\ max-age=15768000

backend webservername
        server webservername 127.0.0.1:8080
Clone this wiki locally