|
|
|
@ -0,0 +1,120 @@
|
|
|
|
|
global
|
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
|
maxconn 2048
|
|
|
|
|
maxconnrate 40
|
|
|
|
|
stats socket /haproxy/haproxy.sock mode 660 level admin
|
|
|
|
|
|
|
|
|
|
defaults
|
|
|
|
|
mode http
|
|
|
|
|
retries 3
|
|
|
|
|
option forwardfor
|
|
|
|
|
option http-keep-alive
|
|
|
|
|
option tcp-smart-connect
|
|
|
|
|
option tcpka
|
|
|
|
|
option http-buffer-request
|
|
|
|
|
timeout http-request 10s
|
|
|
|
|
timeout connect 5s
|
|
|
|
|
timeout client 20s
|
|
|
|
|
timeout server 240s
|
|
|
|
|
timeout http-keep-alive 300s
|
|
|
|
|
rate-limit sessions 100
|
|
|
|
|
default-server resolvers dockerdns
|
|
|
|
|
|
|
|
|
|
resolvers dockerdns
|
|
|
|
|
nameserver docker 127.0.0.11:53
|
|
|
|
|
nameserver cf 1.1.1.1:53
|
|
|
|
|
resolve_retries 2
|
|
|
|
|
timeout retry 300ms
|
|
|
|
|
hold other 30s
|
|
|
|
|
hold refused 30s
|
|
|
|
|
hold nx 30s
|
|
|
|
|
hold timeout 30s
|
|
|
|
|
hold valid 10s
|
|
|
|
|
|
|
|
|
|
frontend https
|
|
|
|
|
mode http
|
|
|
|
|
bind *:443 ssl crt /run/secrets/ssl_master ciphers EECDH+AESGCM:EDH+AESGCM ca-file /run/secrets/cf_op verify required
|
|
|
|
|
|
|
|
|
|
acl secure dst_port eq 443
|
|
|
|
|
acl is_cf req.hdr_ip(x-forwarded-for) -m found
|
|
|
|
|
acl dav url_beg /.well-known/carddav /.well-known/caldav
|
|
|
|
|
acl root url /
|
|
|
|
|
acl discord-redirect url /discord
|
|
|
|
|
|
|
|
|
|
acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
|
|
|
|
|
acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
|
|
|
|
|
|
|
|
|
|
acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443
|
|
|
|
|
acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443
|
|
|
|
|
acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443
|
|
|
|
|
acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443
|
|
|
|
|
acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443
|
|
|
|
|
acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443
|
|
|
|
|
acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443
|
|
|
|
|
acl znc req.hdr(host) -i znc.redxen.eu or -i znc.redxen.eu:443
|
|
|
|
|
|
|
|
|
|
acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443
|
|
|
|
|
|
|
|
|
|
http-request set-header X-Client-IP %[req.hdr_ip(x-forwarded-for)] if is_cf
|
|
|
|
|
redirect location /remote.php/dav code 301 if dav nextcloud
|
|
|
|
|
redirect location /index.html code 301 if homepage root
|
|
|
|
|
redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage
|
|
|
|
|
|
|
|
|
|
http-response replace-header Set-Cookie (.*) \1;\ Secure if secure
|
|
|
|
|
http-response add-header X-Forwarded-Proto https if secure
|
|
|
|
|
|
|
|
|
|
http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res
|
|
|
|
|
http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
|
|
|
|
|
|
|
|
|
|
http-response set-header X-XSS-Protection 1;\ mode=block
|
|
|
|
|
http-response set-header X-Content-Type-Options nosniff
|
|
|
|
|
http-response set-header Referrer-Policy no-referrer-when-downgrade
|
|
|
|
|
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
|
|
|
|
|
|
|
|
|
|
use_backend yagpdb if yagpdb
|
|
|
|
|
use_backend nextcloud if nextcloud
|
|
|
|
|
use_backend grafana if grafana
|
|
|
|
|
use_backend webgit if webgit
|
|
|
|
|
use_backend transmission if transmission
|
|
|
|
|
use_backend onlyoffice if onlyoffice
|
|
|
|
|
use_backend homepage if homepage
|
|
|
|
|
use_backend znc if znc
|
|
|
|
|
|
|
|
|
|
backend homepage
|
|
|
|
|
server redxen-space rxhome.s3-website.eu-central-1.amazonaws.com:80
|
|
|
|
|
http-request set-header Host rxhome.s3-website.eu-central-1.amazonaws.com
|
|
|
|
|
http-request set-header Connection \"\"
|
|
|
|
|
|
|
|
|
|
backend yagpdb
|
|
|
|
|
server yagpdb-docker yag_yagpdb:80
|
|
|
|
|
option httpchk HEAD / HTTP/1.1\r\nHost:\ yagpdb.redxen.eu
|
|
|
|
|
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ https://cdnjs.cloudflare.com\ https://code.jquery.com\ \'self\';style-src\ https://stackpath.bootstrapcdn.com\ https://fonts.googleapis.com\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
|
|
|
|
|
|
|
|
|
backend nextcloud
|
|
|
|
|
server nextcloud-docker cloud_nextcloud:80 check
|
|
|
|
|
option httpchk HEAD / HTTP/1.1\r\nHost:\ cloud.redxen.eu
|
|
|
|
|
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ https://office.redxen.eu\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ https://office.redxen.eu\ https://youtube.com\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
|
|
|
|
http-response set-header X-Robots-Tag none
|
|
|
|
|
http-response set-header X-Download-Options noopen
|
|
|
|
|
http-response set-header X-Permitted-Cross-Domain-Policies none
|
|
|
|
|
|
|
|
|
|
backend grafana
|
|
|
|
|
server grafana-docker tig_grafana:3000 check
|
|
|
|
|
option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
|
|
|
|
|
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
|
|
|
|
|
|
|
|
|
backend webgit
|
|
|
|
|
server webgit-docker git_gitea:3000 check
|
|
|
|
|
option httpchk HEAD / HTTP/1.1\r\nHost:\ webgit.redxen.eu
|
|
|
|
|
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ secure.gravatar.com\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
|
|
|
|
|
|
|
|
|
backend transmission
|
|
|
|
|
server transmission-docker seedbox_transmission:9091 check
|
|
|
|
|
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
|
|
|
|
|
|
|
|
|
backend onlyoffice
|
|
|
|
|
server onlyoffice-docker cloud_documentserver:80 check
|
|
|
|
|
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-eval\'\ \'unsafe-inline\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
|
|
|
|
|
|
|
|
|
|
backend znc
|
|
|
|
|
server znc-bouncer irc_znc:7000 check
|