Skip to content

Commit 540caec

Browse files
richturnerrichturner
committed
Updates to default config
1 parent 4a5f7bd commit 540caec

1 file changed

Lines changed: 52 additions & 50 deletions

File tree

haproxy.cfg

Lines changed: 52 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,14 @@ global
99

1010
tune.ssl.default-dh-param 4096
1111

12-
# TLS 1.2-
13-
ssl-default-bind-ciphers ECDHE+CHACHA20:ECDHE+AES128:ECDHE+AES256:!MD5
14-
# TLS 1.3+
15-
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
16-
# Require TLS 1.2 or higher
17-
ssl-default-bind-options ssl-min-ver TLSv1.2 prefer-client-ciphers
18-
# Works around breaking change in docker 23+ - just uses the old docker default value
19-
fd-hard-limit 1048576
12+
# TLS 1.2-
13+
ssl-default-bind-ciphers ECDHE+CHACHA20:ECDHE+AES128:ECDHE+AES256:!MD5
14+
# TLS 1.3+
15+
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
16+
# Require TLS 1.2 or higher
17+
ssl-default-bind-options ssl-min-ver TLSv1.2 prefer-client-ciphers
18+
# Works around breaking change in docker 23+ - just uses the old docker default value
19+
fd-hard-limit 1048576
2020

2121
defaults
2222
log global
@@ -32,7 +32,6 @@ defaults
3232
resolvers docker_resolver
3333
nameserver dns 127.0.0.11:53
3434

35-
3635
frontend stats
3736
bind *:8404
3837
http-request use-service prometheus-exporter if { path /metrics }
@@ -61,53 +60,56 @@ frontend https
6160
# Optional: redirects for root requests with certain host names to service paths
6261
acl is_root path -i /
6362

64-
.if defined(PROXY_HOST_REDIRECT_1_TARGET)
65-
acl is_redirect_1 hdr(host) -i ${PROXY_HOST_REDIRECT_1_NAME}
66-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_1_TARGET) if is_root is_redirect_1
67-
.endif
68-
.if defined(PROXY_HOST_REDIRECT_2_TARGET)
69-
acl is_redirect_2 hdr(host) -i ${PROXY_HOST_REDIRECT_2_NAME}
70-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_2_TARGET) if is_root is_redirect_2
71-
.endif
72-
.if defined(PROXY_HOST_REDIRECT_3_TARGET)
73-
acl is_redirect_3 hdr(host) -i ${PROXY_HOST_REDIRECT_3_NAME}
74-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_3_TARGET) if is_root is_redirect_3
75-
.endif
76-
.if defined(PROXY_HOST_REDIRECT_4_TARGET)
77-
acl is_redirect_4 hdr(host) -i ${PROXY_HOST_REDIRECT_4_NAME}
78-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_4_TARGET) if is_root is_redirect_4
79-
.endif
80-
.if defined(PROXY_HOST_REDIRECT_5_TARGET)
81-
acl is_redirect_5 hdr(host) -i ${PROXY_HOST_REDIRECT_5_NAME}
82-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_5_TARGET) if is_root is_redirect_5
83-
.endif
84-
.if defined(PROXY_HOST_REDIRECT_6_TARGET)
85-
acl is_redirect_6 hdr(host) -i ${PROXY_HOST_REDIRECT_6_NAME}
86-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_6_TARGET) if is_root is_redirect_6
87-
.endif
88-
.if defined(PROXY_HOST_REDIRECT_7_TARGET)
89-
acl is_redirect_7 hdr(host) -i ${PROXY_HOST_REDIRECT_7_NAME}
90-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_7_TARGET) if is_root is_redirect_7
91-
.endif
92-
.if defined(PROXY_HOST_REDIRECT_8_TARGET)
93-
acl is_redirect_8 hdr(host) -i ${PROXY_HOST_REDIRECT_8_NAME}
94-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_8_TARGET) if is_root is_redirect_8
95-
.endif
96-
.if defined(PROXY_HOST_REDIRECT_9_TARGET)
97-
acl is_redirect_9 hdr(host) -i ${PROXY_HOST_REDIRECT_9_NAME}
98-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_9_TARGET) if is_root is_redirect_9
99-
.endif
100-
.if defined(PROXY_HOST_REDIRECT_10_TARGET)
101-
acl is_redirect_10 hdr(host) -i ${PROXY_HOST_REDIRECT_10_NAME}
102-
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_10_TARGET) if is_root is_redirect_10
103-
.endif
63+
.if defined(PROXY_HOST_REDIRECT_1_TARGET)
64+
acl is_redirect_1 hdr(host) -i ${PROXY_HOST_REDIRECT_1_NAME}
65+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_1_TARGET) if is_root is_redirect_1
66+
.endif
67+
.if defined(PROXY_HOST_REDIRECT_2_TARGET)
68+
acl is_redirect_2 hdr(host) -i ${PROXY_HOST_REDIRECT_2_NAME}
69+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_2_TARGET) if is_root is_redirect_2
70+
.endif
71+
.if defined(PROXY_HOST_REDIRECT_3_TARGET)
72+
acl is_redirect_3 hdr(host) -i ${PROXY_HOST_REDIRECT_3_NAME}
73+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_3_TARGET) if is_root is_redirect_3
74+
.endif
75+
.if defined(PROXY_HOST_REDIRECT_4_TARGET)
76+
acl is_redirect_4 hdr(host) -i ${PROXY_HOST_REDIRECT_4_NAME}
77+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_4_TARGET) if is_root is_redirect_4
78+
.endif
79+
.if defined(PROXY_HOST_REDIRECT_5_TARGET)
80+
acl is_redirect_5 hdr(host) -i ${PROXY_HOST_REDIRECT_5_NAME}
81+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_5_TARGET) if is_root is_redirect_5
82+
.endif
83+
.if defined(PROXY_HOST_REDIRECT_6_TARGET)
84+
acl is_redirect_6 hdr(host) -i ${PROXY_HOST_REDIRECT_6_NAME}
85+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_6_TARGET) if is_root is_redirect_6
86+
.endif
87+
.if defined(PROXY_HOST_REDIRECT_7_TARGET)
88+
acl is_redirect_7 hdr(host) -i ${PROXY_HOST_REDIRECT_7_NAME}
89+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_7_TARGET) if is_root is_redirect_7
90+
.endif
91+
.if defined(PROXY_HOST_REDIRECT_8_TARGET)
92+
acl is_redirect_8 hdr(host) -i ${PROXY_HOST_REDIRECT_8_NAME}
93+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_8_TARGET) if is_root is_redirect_8
94+
.endif
95+
.if defined(PROXY_HOST_REDIRECT_9_TARGET)
96+
acl is_redirect_9 hdr(host) -i ${PROXY_HOST_REDIRECT_9_NAME}
97+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_9_TARGET) if is_root is_redirect_9
98+
.endif
99+
.if defined(PROXY_HOST_REDIRECT_10_TARGET)
100+
acl is_redirect_10 hdr(host) -i ${PROXY_HOST_REDIRECT_10_NAME}
101+
http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_10_TARGET) if is_root is_redirect_10
102+
.endif
104103

105104
# Enable X-Forwarded header(s)
106105
option forwardfor
107106
http-request add-header X-Forwarded-Proto https
108107
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
109108
http-request add-header X-Forwarded-Port %[dst_port]
109+
# Enforce HSTS
110110
http-response add-header Strict-Transport-Security max-age=15768000
111+
# Block bot indexing
112+
http-response add-header X-Robots-Tag noindex
111113

112114
# Gateway tunnelling config
113115
.if defined(SISH_HOST) && defined(SISH_PORT)
@@ -142,5 +144,5 @@ backend keycloak_backend
142144
# Gateway tunnelling config
143145
.if defined(SISH_HOST) && defined(SISH_PORT)
144146
backend sish
145-
server sish "${SISH_HOST}":"${SISH_PORT}" resolvers docker_resolver
147+
server sish "${SISH_HOST}":"${SISH_PORT}" resolvers docker_resolver
146148
.endif

0 commit comments

Comments
 (0)