Hi guys, I’ve been running the same configuration for almost 2 years now. I am now moving to HAP 2.2 and was wondering if any of my old settings would not be compatible anymore…
This is the default config file that comes with 2.2 plus the stuff (commented out) that I had on the old server…
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
# OLD global
# ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# OLD Defaults
# option forwardfor
# option http-server-close
# maxconn 10000
# timeout client 600000
# timeout server 600000
# timeout connect 8000
# timeout client 30000
# timeout server 20000
frontend http
bind *:80 accept-proxy
bind *:443 ssl crt /etc/ssl/hapcerts/ accept-proxy
mode http
capture request header X-Forwarded-For len 15
http-request set-header X-Forwarded-Proto https
## redirect scheme https code 301 if !{ ssl_fc }
## http-response set-header Strict-Transport-Security max-age=63072000
default_backend on-proxy-error
# ACL tractorbeam.com
acl tractorbeam.com hdr(host) -i tractorbeam.com
use_backend tractorbeam.com if tractorbeam.com
# Other ACLs removed as they are exactly the same as this one...
# Backend
backend tractorbeam.com
# http-request set-header X-Client-IP %[src]
# redirect scheme https if !{ ssl_fc }
server tractorbeam.com tractorbeam-com.lxd:80 cookie A check
backend on-proxy-error
server on-proxy-error on-proxy-error.lxd:80 cookie A check
Thank you for checking it!