Alex Denes
8df9fdc4ab
- More templating and inheritance - New commands + rx_replace + rx_install + rx_cpkgdir - More transparency with secrets being sourced as variables and replaced - Modularization of configs + telegraf + nginx (partial) + fastd + wireguard + unbound - Split of unbound configurations and bind zones - Bumping of key versions (rolling keys) + ZSK/KSK + OpenDKIM - Relaxed permission defaults and other smaller tweaks...
111 lines
3.6 KiB
INI
111 lines
3.6 KiB
INI
global
|
|
maxconn 2048
|
|
maxconnrate 40
|
|
stats socket /run/haproxy.sock mode 600 user telegraf
|
|
stats timeout 2m
|
|
|
|
defaults
|
|
mode http
|
|
retries 3
|
|
option forwardfor
|
|
option http-keep-alive
|
|
option tcp-smart-connect
|
|
option tcpka
|
|
option abortonclose
|
|
balance roundrobin
|
|
compression algo gzip
|
|
timeout http-request 10s
|
|
timeout connect 10s
|
|
timeout client 60s
|
|
timeout server 240s
|
|
timeout http-keep-alive 240s
|
|
default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check
|
|
|
|
errorfile 400 /etc/redxen/haproxy/errorpages/400.http
|
|
errorfile 403 /etc/redxen/haproxy/errorpages/403.http
|
|
errorfile 408 /etc/redxen/haproxy/errorpages/408.http
|
|
errorfile 500 /etc/redxen/haproxy/errorpages/500.http
|
|
errorfile 502 /etc/redxen/haproxy/errorpages/502.http
|
|
errorfile 503 /etc/redxen/haproxy/errorpages/503.http
|
|
errorfile 504 /etc/redxen/haproxy/errorpages/504.http
|
|
|
|
resolvers local
|
|
nameserver unbound 127.0.0.1:53
|
|
resolve_retries 2
|
|
timeout retry 300ms
|
|
hold other 100ms
|
|
hold refused 100ms
|
|
hold nx 100ms
|
|
hold timeout 3s
|
|
hold valid 60s
|
|
|
|
listen git-gitea
|
|
mode tcp
|
|
bind ipv4@*:2442,ipv6@*:2442
|
|
option tcp-check
|
|
server-template gitssh 1 _gitssh._tcp.routinginfo.internal
|
|
|
|
frontend http
|
|
mode http
|
|
bind ipv4@:443,ipv6@:443 ssl crt /etc/redxen/letsencrypt/full.crt alpn h2,http/1.1
|
|
bind ipv4@:80,ipv6@:80
|
|
|
|
acl root path /
|
|
acl seedbox hdr_beg(host) -i seed.redxen
|
|
|
|
redirect prefix /web code 302 if seedbox root
|
|
|
|
http-response set-header X-Forwarded-Proto https
|
|
http-response set-header X-XSS-Protection 1;\ mode=block
|
|
http-response set-header X-Content-Type-Options nosniff
|
|
http-response set-header Referrer-Policy no-referrer-when-downgrade
|
|
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
|
|
|
|
use_backend backend-transmission if seedbox
|
|
|
|
use_backend backend-root if { hdr_beg(host) -i redxen }
|
|
use_backend backend-grafana if { hdr_beg(host) -i stats.redxen }
|
|
# use_backend backend-pleroma if { hdr_beg(host) -i social.redxen }
|
|
use_backend backend-gitea if { hdr_beg(host) -i git.redxen }
|
|
use_backend backend-seedown if { hdr_beg(host) -i sd.redxen }
|
|
use_backend backend-packages if { hdr_beg(host) -i packages.redxen }
|
|
use_backend backend-monerod if { hdr_beg(host) -i monerod.redxen }
|
|
|
|
backend backend-root
|
|
server-template root 1 _root._tcp.routinginfo.internal
|
|
option httpchk HEAD / HTTP/1.1
|
|
http-check send hdr Host redxen.eu
|
|
|
|
backend backend-transmission
|
|
server-template transmission 1 _transmission._tcp.routinginfo.internal
|
|
|
|
backend backend-grafana
|
|
server-template grafana 1 _grafana._tcp.routinginfo.internal
|
|
option httpchk HEAD / HTTP/1.1
|
|
http-check send hdr Host stats.redxen.eu
|
|
|
|
backend backend-seedown
|
|
server-template seedown 1 _seedown._tcp.routinginfo.internal
|
|
option httpchk HEAD / HTTP/1.1
|
|
http-check send hdr Host sd.redxen.eu
|
|
|
|
backend backend-packages
|
|
server-template packages 1 _packages._tcp.routinginfo.internal
|
|
option httpchk HEAD / HTTP/1.1
|
|
http-check send hdr Host packages.redxen.eu
|
|
|
|
# backend backend-pleroma
|
|
# server-template pleroma 1 _pleroma._tcp.routinginfo.internal
|
|
# option httpchk HEAD / HTTP/1.1
|
|
# http-check send hdr Host social.redxen.eu
|
|
|
|
backend backend-gitea
|
|
server-template gitea 1 _gitea._tcp.routinginfo.internal
|
|
option httpchk HEAD / HTTP/1.1
|
|
http-check send hdr Host gitea.redxen.eu
|
|
|
|
backend backend-monerod
|
|
server-template monerod 1 _monerod._tcp.routinginfo.internal
|
|
option httpchk POST /json_rpc HTTP/1.1
|
|
http-check send body \{\"method\"\:\"get_version\"\} hdr Content-Type application/json
|