Okay...
here is the config:
There is another frontend for port 8080... but the same scheme... I left
it out here...
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tlsv10
tune.ssl.default-dh-param 4096
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
option redispatch
option abortonclose
timeout http-request 60s
timeout connect 60s
timeout client 60s
timeout server 300s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind/:2000/
/ mode http/
/ stats enable/
/ stats hide-version/
/ stats realm Haproxy\ Statistics/
/ stats uri //
/ stats auth xxx:xxx/
/ stats admin if TRUE/
/frontend http_XXX_frontend/
/ bind X.X.X.X:80/
/ bind X.X.X.X:443 ssl crt /etc/haproxy/cert/xxx.pem/
/ mode http/
/ option httpclose/
/ option forwardfor/
/ option http-server-close/
/ ### Logging/
/ capture request header Host len 40/
/ capture request header X-Forwarded-For len 50/
/ capture request header Accept-Language len 50/
/ capture request header Referer len 200/
/ capture request header User-Agent len 200/
/ capture response header Content-Type len 30/
/ capture response header Content-Encoding len 10/
/ capture response header Cache-Control len 200/
/ capture response header Last-Modified len 200/
/ ###/
/ ### SSL/
/ acl secure dst_port eq 443/
/ rsprep ^Set-Cookie:\ (./) Set-Cookie:\ \1;\ Secure if secure
###
### acl filter and protection of ddos attacks
#Slowlorisprotection
timeout http-request 5s
# whitelist bots | blacklist attackers & accept others wiht
time/concurrence restrictions
tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst }
# Dont allow more than 30 concurrent tcp connections OR 10
connections in 1s
tcp-request connection reject if { src_conn_rate(Abuse) ge 30 }
tcp-request connection reject if { src_conn_cur(Abuse) ge 30 }
tcp-request connection track-sc1 src table Abuse
tcp-request content reject if { src_get_gpc0(Abuse) gt 0 }
# blacklist bad bots and crawler with eg wget,curl… but allow all
agents to whitelist
tcp-request inspect-delay 3s
acl whitelistips_agents src -f /etc/haproxy/whitelistips_agents.lst
acl badbots hdr_reg(User-Agent) -i -f /etc/haproxy/badbots.lst
http-request deny if badbots !whitelistips_agents
#denysleep arguments in url
acl sleeper url_sub,url_dec,lower -m sub sleep(
http-request deny if sleeper
# Dont allow more than 10 requests in 1 second
acl abuse src_http_req_rate(Abuse) ge 100
acl flag_abuser src_inc_gpc0(Abuse) ge 0
acl scanner src_http_err_rate(Abuse) ge 10
# Returns a 403 to the abuser and flags for tcp-reject next time
http-request deny if abuse flag_abuser
http-request deny if scanner flag_abuser
###
### lets encrypt
acl lets_encrypt path_beg /.well-known/acme-challenge/
use_backend lets_encrypt if lets_encrypt
###
default_backend http_xxx_backend
backend http_xxx_backend
mode http
### SSL
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
###
balance roundrobin
cookie SERVERID insert indirect nocache
option httpchk HEAD /
server x1 X.X.X.X:80 cookie x1 weight 2 check inter 10000 port 80
maxconn 32 on-marked-down shutdown-sessions
server x2 X.X.X.X:80 cookie x2 weight 1 check inter 10000 port 80
maxconn 16 on-marked-down shutdown-sessions
server x3 X.X.X.X:80 cookie x3 weight 3 check inter 10000 port 80
maxconn 64 on-marked-down shutdown-sessions
server x4 X.X.X.X:80 cookie x4 weight 4 check inter 10000 port 80
maxconn 128 on-marked-down shutdown-sessions
server x0 X.X.X.X:80 cookie x0 backup check inter 10000 port 80
maxconn 64 on-marked-down shutdown-sessions
backend Abuse
stick-table type ip size 1m expire 30s store
conn_rate(3s),conn_cur,gpc0,http_req_rate(10s),http_err_rate(20s)
backend lets_encrypt
mode http
server local localhost:60001
