From 7a75032f34db5c07943c58c5cc08943e7a8e4d42 Mon Sep 17 00:00:00 2001
From: caskd <caskd@420blaze.it>
Date: Sat, 3 Aug 2019 22:09:02 +0200
Subject: [PATCH] Initial commit

---
 .gitignore         |   2 +
 base.yml           |  46 +++++++++++++++++
 build/Dockerfile   |   3 ++
 build/haproxy.conf | 120 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 171 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 base.yml
 create mode 100644 build/Dockerfile
 create mode 100644 build/haproxy.conf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..03e655e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.*~
+certificates/
diff --git a/base.yml b/base.yml
new file mode 100644
index 0000000..6ac87cd
--- /dev/null
+++ b/base.yml
@@ -0,0 +1,46 @@
+version: '3.7'
+
+networks:
+  frontend:
+    driver: overlay
+    attachable: true
+
+secrets:
+  cf_op:
+    file: certificates/cloudflare-op.crt
+  ssl_master:
+    file: certificates/master.pem
+
+volumes:
+  haproxysock:
+
+x-logging: &json-log
+  driver: 'json-file'
+  options:
+    max-size: 20m
+    max-file: '5'
+
+x-global-stop-2: &gt2
+  mode: global
+  restart_policy:
+    condition: any
+  update_config:
+    parallelism: 2
+    delay: 5s
+    order: stop-first
+    failure_action: rollback
+
+services:
+  haproxy:
+    image: localhost:5000/haproxy-rx
+    deploy: *gt2 ## HAProxy really dislikes if it's overlapped
+    logging: *json-log
+    secrets:
+      - ssl_master
+      - cf_op
+    volumes:
+      - 'haproxysock:/haproxy:rw' ## Telegraf monitoring
+    ports:
+    - '443:443'
+    networks:
+      - frontend
diff --git a/build/Dockerfile b/build/Dockerfile
new file mode 100644
index 0000000..2d95727
--- /dev/null
+++ b/build/Dockerfile
@@ -0,0 +1,3 @@
+FROM haproxy:alpine
+
+COPY haproxy.conf /usr/local/etc/haproxy/haproxy.cfg
diff --git a/build/haproxy.conf b/build/haproxy.conf
new file mode 100644
index 0000000..ded990d
--- /dev/null
+++ b/build/haproxy.conf
@@ -0,0 +1,120 @@
+global
+  tune.ssl.default-dh-param 2048
+  maxconn 2048
+  maxconnrate 40
+  stats socket /haproxy/haproxy.sock mode 660 level admin
+  
+defaults
+  mode http
+  retries 3
+  option forwardfor
+  option http-keep-alive
+  option tcp-smart-connect
+  option tcpka
+  option http-buffer-request
+  timeout http-request 10s
+  timeout connect 5s
+  timeout client 20s
+  timeout server 240s
+  timeout http-keep-alive 300s
+  rate-limit sessions 100
+  default-server resolvers dockerdns
+
+resolvers dockerdns
+  nameserver docker 127.0.0.11:53
+  nameserver cf 1.1.1.1:53
+  resolve_retries 2
+  timeout retry 300ms
+  hold other           30s
+  hold refused         30s
+  hold nx              30s
+  hold timeout         30s
+  hold valid           10s
+
+frontend https
+  mode http
+  bind *:443 ssl crt /run/secrets/ssl_master ciphers EECDH+AESGCM:EDH+AESGCM ca-file /run/secrets/cf_op verify required
+  
+  acl secure dst_port eq 443
+  acl is_cf req.hdr_ip(x-forwarded-for) -m found
+  acl dav url_beg /.well-known/carddav /.well-known/caldav
+  acl root url /
+  acl discord-redirect url /discord
+  
+  acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
+  acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
+  
+  acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443
+  acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443
+  acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443
+  acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443
+  acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443
+  acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443
+  acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443
+  acl znc req.hdr(host) -i znc.redxen.eu or -i znc.redxen.eu:443
+  
+  acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443
+  
+  http-request set-header X-Client-IP %[req.hdr_ip(x-forwarded-for)] if is_cf
+  redirect location /remote.php/dav code 301 if dav nextcloud
+  redirect location /index.html code 301 if homepage root
+  redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage
+  
+  http-response replace-header Set-Cookie (.*) \1;\ Secure if secure
+  http-response add-header X-Forwarded-Proto https if secure
+  
+  http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res
+  http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
+  
+  http-response set-header X-XSS-Protection 1;\ mode=block
+  http-response set-header X-Content-Type-Options nosniff
+  http-response set-header Referrer-Policy no-referrer-when-downgrade
+  http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
+  
+  use_backend yagpdb if yagpdb
+  use_backend nextcloud if nextcloud
+  use_backend grafana if grafana
+  use_backend webgit if webgit
+  use_backend transmission if transmission
+  use_backend onlyoffice if onlyoffice
+  use_backend homepage if homepage
+  use_backend znc if znc
+
+backend homepage
+  server redxen-space rxhome.s3-website.eu-central-1.amazonaws.com:80
+  http-request set-header Host rxhome.s3-website.eu-central-1.amazonaws.com
+  http-request set-header Connection \"\"
+
+backend yagpdb
+  server yagpdb-docker yag_yagpdb:80
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ yagpdb.redxen.eu
+  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ https://cdnjs.cloudflare.com\ https://code.jquery.com\ \'self\';style-src\ https://stackpath.bootstrapcdn.com\ https://fonts.googleapis.com\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
+
+backend nextcloud
+  server nextcloud-docker cloud_nextcloud:80 check
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ cloud.redxen.eu
+  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ https://office.redxen.eu\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ https://office.redxen.eu\ https://youtube.com\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
+  http-response set-header X-Robots-Tag none
+  http-response set-header X-Download-Options noopen
+  http-response set-header X-Permitted-Cross-Domain-Policies none
+
+backend grafana
+  server grafana-docker tig_grafana:3000 check
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
+  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
+
+backend webgit
+  server webgit-docker git_gitea:3000 check
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ webgit.redxen.eu
+  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ secure.gravatar.com\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
+
+backend transmission
+  server transmission-docker seedbox_transmission:9091 check
+  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
+
+backend onlyoffice
+  server onlyoffice-docker cloud_documentserver:80 check
+  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-eval\'\ \'unsafe-inline\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
+
+backend znc
+  server znc-bouncer irc_znc:7000 check