Configuration Check


#1

Hi all,
I am still learning how to use haproxy well and was hoping I could receive some feedback for my configuration.

I am using Cloudflare with my setup and SNI to direct traffic. It all appears to be working how I want including PROXY protocol passthrough. Although I could only get that working by adding "option forwardfor header X-Forwarded-For to the SNI pass-through frontend.

My main concern is whether the way I have configured this is secure and/or the most efficient way to configure this set up.

# Global parameters
defaults
    # Slowloris protection
    timeout http-request 5s
    timeout connect 5s
    timeout client 30s
    timeout server 30s
    timeout http-keep-alive 4s

    # Close the backend connection
    option http-server-close
		
global
	log 10.0.0.10 local0
    maxconn 32000
    ulimit-n 65535
    uid 0
    gid 0
    daemon
    nosplice
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:EC
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

listen local_health_check
    bind :60000
    mode health

# Frontend for SNI Passthrough
frontend frontend_snipt
    bind *:443
    mode tcp
	log global
	option forwardfor header X-Forwarded-For
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend backend_snipt_1 if { req_ssl_sni -i 1.domain.com }
    use_backend backend_snipt_2 if { req_ssl_sni -i 2.domain.com }
    use_backend backend_snipt_3 if { req_ssl_sni -i 3.domain.com }
	use_backend backend_snipt_4 if { req_ssl_sni -i 4.domain.com }
	use_backend backend_snipt_5 if { req_ssl_sni -i 5.domain.com }
    default_backend backend_1

# Backend for SNI Passthrough
backend backend_snipt_1
    mode tcp
    server localhost 127.0.0.1:7000 check

backend backend_snipt_2
    mode tcp
    server localhost 127.0.0.1:7001 check

backend backend_snipt_3
    mode tcp
    server localhost 127.0.0.1:7002 check

backend backend_snipt_4
	mode tcp
	server localhost 127.0.0.1:7003 check

backend backend_snipt_5
	mode tcp
	server localhost 127.0.0.1:7004 check
		
# Normal frontend
frontend frontend_1
	bind *:7000 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
	mode http
	use_backend backend_1

frontend frontend_2
	bind *:7001 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
	mode http
	use_backend backend_2
		
frontend frontend_3
	bind *:7002 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
	mode http
	use_backend backend_3

frontend frontend_4
	bind *:7003 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
	mode http
	use_backend backend_4

frontend frontend_5
	bind *:7004 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
	mode tcp
	option clitcpka
	timeout client 3h
	timeout server 3h
	use_backend backend_5

# Normal backend		
backend backend_1
    mode http
    server server01 10.0.0.10:80 check

backend backend_2
    mode http
    server server01 10.0.0.10:8080 check

backend backend_3
    mode http
    server server02 10.0.0.254:80 check

backend backend_4
	mode http
	server server01 10.0.0.10:8081 check

backend backend_5
	mode http
	server server01 10.0.0.10:8082 check