Hi,
as far as I have understand the ssl possibility right I just need
to
copy my
http setup to https and it should work.
I have a redirection loop on https, I hope you can help to find my
error, thanks.
I have downloaded the following snapshot
###
curl -vLo
haproxy-v1.5-dev12-3e394c903f156ab2bcf731df39c4e6e74df3b6b4.tar.gz
'http://haproxy.1wt.eu/git?p=haproxy.git;a=snapshot;h=3e394c903f156ab2bcf731df39c4e6e74df3b6b4;sf=tgz'
###
### /opt/haproxy/installed/sbin/haproxy -vv
HA-Proxy version 1.5-dev12 2012/09/10
Copyright 2000-2012 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1 USE_STATIC_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents
= 200
Encrypted password support via crypt(3): yes
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Available polling systems :
sepoll : pref=400, test result OK
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 4 (4 usable), will use sepoll.
###
### cat /opt/haproxy/conf/haproxy.cfg
# This sample configuration makes extensive use of the ACLs. It
requires
# HAProxy version 1.3.12 minimum.
global
log 127.0.0.1 local1
maxconn 4096
group haproxy
user haproxy
pidfile /var/run/haproxy.pid
daemon
# quiet
defaults
# long timeout to support connection queueing
contimeout 20000
srvtimeout 20000
clitimeout 30000
maxconn 4096
option httpchk HEAD /
option redispatch
option httplog
option dontlognull
option http-server-close
option forwardfor
option http-no-delay
unique-id-format %{+X}o\ %Ci:%Cp_%Ts_%rt
unique-id-header X-Unique-ID
log-format %Ci:%Cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\
%B\
%cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %ID\ %sq/%bq\ %hr\ %hs\ %{+Q}r
frontend http-in
bind :80
mode http
log global
capture cookie PHPSESSID len 128
capture request header User-Agent len 128
capture request header Host len 20
capture request header User-Agent len 16
capture request header Content-Length len 10
capture request header Referer len 20
capture response header Content-Length len 10
rspdel ^X-Powered-By:.*
block if METH_POST { hdr_cnt(Content-length) eq 0 }
# block any unwanted source IP addresses or networks
acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
acl forbidden_src src_port 0:1023
block if forbidden_src
# block requests beginning with http:// on wrong domains
# acl dangerous_pfx url_beg -i http://
acl valid_pfx url_reg -i ^http://[^/]*myDomain\.com/
acl dangerous_pfx url_beg -i /w00tw00t.at.ISC.SANS.DFind
# acl dangerous_pfx url_reg -i .*w00tw00t.at.ISC.SANS.DFind
block if dangerous_pfx !valid_pfx
# block apache chunk exploit, ...
acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
acl forbidden_hdrs hdr_beg(host) -i apache-
localhost
# ... some HTTP content smugling and other various things
acl forbidden_hdrs hdr_cnt(host) gt 1
acl forbidden_hdrs hdr_cnt(content-length) gt 1
acl forbidden_hdrs hdr_val(content-length) lt 0
acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
block if forbidden_hdrs
# block annoying worms that fill the logs...
acl forbidden_uris url_reg -i
.*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
acl forbidden_uris url_sub -i %00 <script xmlrpc.php
acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida
/awstats.pl .asp .dll
# block other common attacks (awstats, manual discovery...)
acl forbidden_uris path_dir -i chat read_dump.php viewtopic.php
phpbb sumthin horde _vti_bin MSOffice
acl forbidden_uris url_reg -i
(\.php\?temppath=|\.php\?setmodules=|[=:]http://)
block if forbidden_uris
acl phpmyadmin hdr_beg(host) phpmadm
use_backend phpadm_backend if phpmyadmin
acl monitoring hdr_beg(host) monitoring
use_backend monitoring_backend if monitoring
acl stat_request url_beg /haproxy_stats
use_backend stats_backend if stat_request
acl wptest hdr_beg(host) wptest
use_backend wptest_backend if wptest
acl pmcom hdr_beg(host) www
use_backend pmcom_backend if pmcom
acl stat_pmcom url_beg /pmcom-fpm-status
use_backend pmcom_backend if stat_pmcom
default_backend default
frontend https-in
bind 0.0.0.0:443 ssl crt
/opt/haproxy/conf/www.myDomain.com.pem prefer-server-ciphers
mode http
log global
acl pmcom hdr_beg(host) www
use_backend pmcom_backend if pmcom
acl stat_request url_beg /haproxy_stats
use_backend stats_backend if stat_request
default_backend default
backend default
mode http
balance roundrobin
cookie SERVERID
server nginx 127.0.0.1:8000 check inter 30000 rise 2 fall 3
maxconn 1024
option httpchk HEAD /
option checkcache
# allow other syntactically valid requests, and block any other
method
acl valid_method method GET HEAD POST OPTIONS
block if !valid_method
block if HTTP_URL_STAR !METH_OPTIONS
block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
# remove unnecessary precisions on the server version. Let's
say
# it's an apache under Unix on the Formilux Distro.
rspidel ^Server:\
rspadd Server:\ Apache
backend phpadm_backend
mode http
timeout server 1h
server nginx 127.0.0.1:8001 check inter 30000 rise 2 fall 3
maxconn 10
backend wptest_backend
mode http
server nginx 127.0.0.1:8002 check inter 30000 rise 2 fall 3
maxconn 10
backend pmcom_backend
mode http
server nginx 127.0.0.1:8003 check inter 30000 rise 2 fall 3
maxconn 1024
backend monitoring_backend
mode http
server nginx 127.0.0.1:8002 check inter 30000 rise 2 fall 3
maxconn 10
backend stats_backend
mode http
balance
# timeout client 5000
timeout connect 4000
timeout server 30000
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth common_you_DONT:THING_I_writeit_;-)
###
Thanks for help
Aleks
