sample.haproxy.cfg

global
	log 127.0.0.1 len 65535 format rfc5424 local0
	log 127.0.0.1 len 65535 format rfc5424 local1 notice
	maxconn 4096
	daemon
	#debug
	#quiet
	spread-checks	2
	tune.bufsize	65536
	tune.http.logurilen	49152
	ssl-server-verify	none
	tune.ssl.default-dh-param	4096
	tune.ssl.cachesize	100000
	tune.ssl.lifetime	900
	ssl-default-bind-ciphers	ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
	ssl-default-bind-ciphersuites	TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
	ssl-default-bind-options	no-sslv3 no-tlsv10 no-tlsv11
#	ssl-default-server-ciphers	RC4-MD5
	ssl-default-server-ciphers	RC4-MD5:ECDHE-RSA-AES256-SHA384:AES256-SHA:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256
	stats socket /etc/haproxy/stats.socket

defaults
	log	global
	mode	http
	option	forwardfor except 127.0.0.1
	option	socket-stats
	balance	leastconn
	option	httplog
	option	dontlognull
	option	redispatch
# commented because http3/quic doesn't like it
#	option	abortonclose
	retries	1
	compression algo gzip
	compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json application/css
	timeout connect	5s
	timeout client	15s
	timeout server	120s
	timeout http-keep-alive	5s
	timeout check	9990
	retry-on all-retryable-errors
	http-errors myerrors
	errorfile 404 /etc/haproxy/errors/404.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend web80
	description Redirect to https
	bind 0.0.0.0:80 name web80
	redirect scheme https
	default_backend be-deny

frontend web
	description One frontend to rule them all
	stats enable
	stats uri /hapeek
	stats auth test:test
	stats refresh 15
	bind 0.0.0.0:443 name web443 ssl crt /etc/ssl/certs/local/elyograg_org.wildcards.combined.pem crt /etc/ssl/certs/local/erinat.com.wildcards.combined.pem alpn h2,http/1.1 npn h2,http/1.1 allow-0rtt curves secp521r1:secp384r1
	bind quic4@0.0.0.0:443 name quic443 ssl crt /etc/ssl/certs/local/elyograg_org.wildcards.combined.pem crt /etc/ssl/certs/local/erinat.com.wildcards.combined.pem proto quic alpn h3 npn h3 allow-0rtt curves secp521r1:secp384r1
	http-request set-var(txn.path) path,lower
	http-request set-var(txn.host) req.fhdr(host,1),lower
	http-request reject if { method -m reg [^A-Z0-9] }
	http-request del-header [Ff]orwarded.+ -m reg
	http-request del-header [Xx]-[Ff]orwarded.+ -m reg
	http-request add-header Forwarded "for=\"%[src]\"; proto=https"
	capture request header host len 128
	errorfiles myerrors
	http-response return status 404 default-errorfiles if { status 404 }
	http-response return status 403 default-errorfiles if { status 403 }
	http-response return status 500 default-errorfiles if { status 500 }
	http-response return status 502 default-errorfiles if { status 502 }
	http-response return status 503 default-errorfiles if { status 503 }
	http-response return status 504 default-errorfiles if { status 504 }
#	acl badsrc src 76.23.33.0/24
#	http-request deny deny_status 400 if badsrc
	acl bot	hdr_cnt(User-Agent) 0
	acl bot hdr_sub(User-Agent) -i baiduspider ia_archiver jeeves googlebot mediapartners-google msnbot slurp zyborg yandexnews fairshare.cc yandex bingbot crawler everyonesocialbot feedfetcher-google feed\ crawler google-http-java-client java\/ owlin\ bot sc\ news wikioimagesbot xenu\ link\ sleuth yahoocachesystem twitterbot facebookexternalhit rogerbot linkedinbot embedly showyoubot outbrain pinterest slackbot vkShare W3C_Validator
	acl bot hdr_sub(User-Agent) -i facebookexternalhit
	acl bot hdr_sub(User-Agent) -i twitterbot
	acl bot hdr_sub(User-Agent) -i feedfetcher-google
	acl blockit	hdr_sub(User-Agent) -i torrent
	acl blockit	path_beg	-i /wpad.dat
	acl blockit	path_beg	-i /announc
	acl blockit	path_beg	-i /v1
	acl blockit	path_beg	-i /v2.0
	acl blockit	path_beg	-i /v2.1
	acl blockit	path_beg	-i /v2.2
	acl blockit	path_beg	-i /fr\ 
	acl blockit	path_beg	-i /fr/
	acl blockit	path_beg	-i /tr\ 
	acl blockit	path_beg	-i /tr/
	acl blockit	path_beg	-i /connect
	acl blockit	path_beg	-i /feeds
	acl blockit	path_beg	-i /desktop
	acl blockit	path_beg	-i /ios
	acl blockit	path_beg	-i /ipad
	acl blockit	path_beg	-i /method
	acl blockit	path_beg	-i /cipgl
	acl blockit	path_beg	-i /stats
	acl blockit	path_beg	-i /mobile
	acl blockit	path_beg	-i /network_ads
	acl blockit	path_beg	-i /new
	acl blockit	path_beg	-i /old
	acl blockit	path_beg	-i /test
	acl blockit	path_beg	-i /main
	acl blockit	path_beg	-i /backup
	acl blockit	path_beg	-i /demo
	acl blockit	path_beg	-i /home
	acl blockit	path_beg	-i /tmp
	acl blockit	path_beg	-i /cvs
	acl blockit	path_beg	-i /dev\ 
	acl blockit	path_beg	-i /dev/
	acl blockit	path_beg	-i /old-wp
	acl blockit	path_beg	-i /wp\ 
	acl blockit	path_beg	-i /wp/
	acl blockit	path_beg	-i /temp
	acl blockit	path_beg	-i /bk
	acl blockit	path_beg	-i /wp1
	acl blockit	path_beg	-i /wp2
	acl blockit	path_beg	-i /bak
	acl blockit	path_beg	-i /new-site
	acl blockit	path_beg	-i //announc
	acl blockit	path_beg	-i //v1
	acl blockit	path_beg	-i //v2.0
	acl blockit	path_beg	-i //v2.1
	acl blockit	path_beg	-i //v2.2
	acl blockit	path_beg	-i //fr\ 
	acl blockit	path_beg	-i //fr/
	acl blockit	path_beg	-i //tr\ 
	acl blockit	path_beg	-i //tr/
	acl blockit	path_beg	-i //connect
	acl blockit	path_beg	-i //feeds
	acl blockit	path_beg	-i //desktop
	acl blockit	path_beg	-i //ios
	acl blockit	path_beg	-i //ipad
	acl blockit	path_beg	-i //magento
	acl blockit	path_beg	-i //method
	acl blockit	path_beg	-i //cipgl
	acl blockit	path_beg	-i //stats
	acl blockit	path_beg	-i //mobile
	acl blockit	path_beg	-i //network_ads
	acl blockit	path_beg	-i //new
	acl blockit	path_beg	-i //old
	acl blockit	path_beg	-i //test
	acl blockit	path_beg	-i //main
	acl blockit	path_beg	-i //backup
	acl blockit	path_beg	-i //demo
	acl blockit	path_beg	-i //home
	acl blockit	path_beg	-i //tmp
	acl blockit	path_beg	-i //cvs
	acl blockit	path_beg	-i //dev
	acl blockit	path_beg	-i //old-wp
	acl blockit	path_beg	-i //wp\ 
	acl blockit	path_beg	-i //wp/
	acl blockit	path_beg	-i //temp
	acl blockit	path_beg	-i //bk
	acl blockit	path_beg	-i //wp1
	acl blockit	path_beg	-i //wp2
	acl blockit	path_beg	-i //bak
	acl blockit	path_beg	-i //new-site
	acl solr_host hdr_end(Host) -i solr.elyograg.org
	acl real_errors var(txn.host) -m end solr.elyograg.org
	acl solr_allowed src 172.31.0.0/16
	acl solr_allowed src 54.67.1.252
	acl solr_allowed src 98.202.63.100
#  Andy Lester
#	acl solr_allowed src 23.112.164.105
	acl rb2_path var(txn.path) -m beg /elsa2
	acl rb2_path var(txn.path) -m beg /gil2
	acl rb_path var(txn.path) -m beg /elsa/
	acl rb_path var(txn.path) -m beg /giltaran/
	acl skipredirect hdr_end(Host) -i shawnheisey.com
	acl handleit hdr_end(Host) -i shawnheisey.com
	acl handleit hdr_end(Host) -i elyograg.org
	acl handleit hdr_end(Host) -i elyograg.com
	acl handleit hdr_end(Host) -i elyograg.net
	acl handleit hdr_end(Host) -i atory.org
	acl handleit hdr_end(Host) -i itory.org
	acl handleit hdr_end(Host) -i ition.org
	acl handleit hdr_end(Host) -i carsonfamilyhistory.org
	acl handleit hdr_end(Host) -i carsonfamilyhistory.com
	acl handleit hdr_end(Host) -i mousebatfolliclegoosecreatureampersandspongwapcapletlooseliver.com
	#acl http3 var(txn.host) -m end solr.elyograg.org
	acl homesrc src 24.10.169.40
	acl homesrc src 192.168.0.0/16
	acl patch_method method PATCH
	acl trace_method method TRACE
	http-request deny deny_status 405 if patch_method
	http-request deny deny_status 405 if trace_method
	http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; ma=7200,quic=":443"; ma=7200'
#	http-response add-header alt-svc 'h3=":443"; ma=7200'
	http-request set-header X-H3 true if { so_name -i -m beg quic443 }
	http-request set-header X-Scheme https
	http-request set-header X-Forwarded-Scheme https
	http-request set-header X-Forwarded-Port %fp
	http-request set-header X-Forwarded-Proto https
	http-request set-header X-Forwarded-HTTPS true
	http-request set-header X-Forwarded-Host %[req.hdr(Host)]
	http-request set-header X-Forwarded-SSL true
	http-request set-header X-Haproxy-Current-Date %T
	http-request set-header X-HTTPS on
	http-request set-header X-SSL %[ssl_fc]
	http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
	http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
	http-response set-header Cache-Control no-store,\ no-cache,\ must-revalidate if rb_path
	http-response set-header Cache-Control no-store,\ no-cache,\ must-revalidate if rb2_path
	http-request redirect code 302 location https://unknown.elyograg.org if !skipredirect rb_path homesrc
	use_backend be-deny if blockit
	use_backend be-deny if solr_host !solr_allowed
	use_backend be-solr if solr_host
	use_backend be-apache-81 if handleit !blockit
	default_backend be-deny

backend be-deny
	description Back end with no servers that denies all requests.
	no log
	log 127.0.0.1 len 65535 format rfc5424 local0 notice err
	http-request deny

backend be-apache-81
	description Back end for apache
	cookie ELYHA insert indirect nocache
	no log
	log 127.0.0.1 len 65535 format rfc5424 local0 notice err
	option httpchk
	http-check connect
	http-check send meth HEAD uri / ver HTTP/2 hdr Host webmail.elyograg.org
	server bilbo 172.31.8.104:81 cookie bilbo check inter 10s fastinter 3s rise 3 fall 2 weight 100 proto h2 check-proto h2

backend be-solr
	description Back end for solr
	cookie ELYHA insert indirect nocache
	no log
	log 127.0.0.1 len 65535 format rfc5424 local0 notice err
	option httpchk
	http-check connect
	http-check send meth GET uri /solr/
	server b8983 127.0.0.1:8983 cookie b8983 check inter 10s fastinter 3s rise 3 fall 2 weight 100 proto h2 check-proto h2