-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathhaproxy.cfg.template
More file actions
123 lines (107 loc) · 5.7 KB
/
haproxy.cfg.template
File metadata and controls
123 lines (107 loc) · 5.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
# SPDX-License-Identifier: AGPL-3.0-or-later
###############################################################################
# haproxy.cfg.template
#
# This template is processed by envsubst in start.sh to replace variables:
# HP_EXAPPS_ADDRESS,
# HP_EXAPPS_HTTPS_ADDRESS,
# HP_SPOA_ADDRESS,
# HP_TIMEOUT_CONNECT,
# HP_TIMEOUT_CLIENT,
# HP_TIMEOUT_SERVER,
#
# If /certs/cert.pem is not found, lines containing "_HTTPS_FRONTEND_" are
# commented out automatically in start.sh.
###############################################################################
global
log stdout local0 ${HP_LOG_LEVEL_HAPROXY}
maxconn 8192
ca-base /etc/ssl/certs
defaults
log global
option httplog
option dontlognull
timeout connect ${HP_TIMEOUT_CONNECT}
timeout client ${HP_TIMEOUT_CLIENT}
timeout server ${HP_TIMEOUT_SERVER}
###############################################################################
# FRONTEND: ex_apps (HTTP)
###############################################################################
frontend ex_apps
mode http
bind ${HP_EXAPPS_ADDRESS}
filter spoe engine exapps-spoe config /etc/haproxy/spoe-agent.conf
http-request silent-drop if { var(txn.exapps.bad_request) -m int eq 1 }
http-request return status 401 content-type text/plain string "401 Unauthorized" if { var(txn.exapps.unauthorized) -m int eq 1 }
http-request return status 403 content-type text/plain string "403 Forbidden" if { var(txn.exapps.forbidden) -m int eq 1 }
http-request return status 404 content-type text/plain string "404 Not Found" if { var(txn.exapps.not_found) -m int eq 1 }
use_backend %[var(txn.exapps.backend)]
###############################################################################
# FRONTEND: ex_apps_https (only enabled if /certs/cert.pem exists)
###############################################################################
_HTTPS_FRONTEND_ frontend ex_apps_https
_HTTPS_FRONTEND_ mode http
_HTTPS_FRONTEND_ bind ${HP_EXAPPS_HTTPS_ADDRESS} ssl crt /certs/cert.pem
_HTTPS_FRONTEND_ filter spoe engine exapps-spoe config /etc/haproxy/spoe-agent.conf
_HTTPS_FRONTEND_ http-request silent-drop if { var(txn.exapps.bad_request) -m int eq 1 }
_HTTPS_FRONTEND_ http-request return status 401 content-type text/plain string "401 Unauthorized" if { var(txn.exapps.unauthorized) -m int eq 1 }
_HTTPS_FRONTEND_ http-request return status 403 content-type text/plain string "403 Forbidden" if { var(txn.exapps.forbidden) -m int eq 1 }
_HTTPS_FRONTEND_ http-request return status 404 content-type text/plain string "404 Not Found" if { var(txn.exapps.not_found) -m int eq 1 }
_HTTPS_FRONTEND_ use_backend %[var(txn.exapps.backend)]
###############################################################################
# BACKENDS: ex_apps & ex_apps_backend_w_bruteforce
###############################################################################
backend ex_apps_backend
mode http
server frp_server 0.0.0.0
http-request set-path %[var(txn.exapps.target_path)]
http-request set-dst var(txn.exapps.target_ip)
http-request set-dst-port var(txn.exapps.target_port)
http-request set-header EX-APP-ID %[var(txn.exapps.exapp_id)]
http-request set-header EX-APP-VERSION %[var(txn.exapps.exapp_version)]
http-request set-header AUTHORIZATION-APP-API %[var(txn.exapps.exapp_token)]
http-request set-header AA-VERSION "32" # TO-DO: temporary, remove it after we update all ExApps.
backend ex_apps_backend_w_bruteforce
mode http
server frp_server 0.0.0.0
http-request set-path %[var(txn.exapps.target_path)]
http-request set-dst var(txn.exapps.target_ip)
http-request set-dst-port var(txn.exapps.target_port)
http-request set-header EX-APP-ID %[var(txn.exapps.exapp_id)]
http-request set-header EX-APP-VERSION %[var(txn.exapps.exapp_version)]
http-request set-header AUTHORIZATION-APP-API %[var(txn.exapps.exapp_token)]
http-request set-header AA-VERSION "32" # TO-DO: temporary, remove it after we update all ExApps.
filter spoe engine exapps-bruteforce-protection-spoe config /etc/haproxy/spoe-agent.conf
###############################################################################
# BACKEND: nextcloud_control (HTTP)
###############################################################################
backend nextcloud_control_backend
mode http
server nextcloud_control 127.0.0.1:8200
http-request set-path %[var(txn.exapps.target_path)]
###############################################################################
# BACKEND: docker_engine (HTTP)
###############################################################################
backend docker_engine_backend
mode http
server frp_server 127.0.0.1
http-request set-dst-port var(txn.exapps.target_port)
http-request set-path %[var(txn.exapps.target_path)]
# docker system _ping
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping$ } METH_GET
# docker inspect image
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/.*/json } METH_GET
# container inspect: GET containers/%s/json
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
# container inspect: GET containers/%s/logs
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET
# image pull: POST images/create?fromImage=%s
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
http-request deny
backend agents
mode tcp
timeout connect 5s
timeout server 3m
option spop-check
server agent1 ${HP_SPOA_ADDRESS} check