38 lines
1.2 KiB
INI
38 lines
1.2 KiB
INI
|
# This is a test configuration. It listens on port 8443, waits for an incoming
|
||
|
# connection, and applies the following rules :
|
||
|
# - if the address is in the white list, then accept it and forward the
|
||
|
# connection to the server (local port 443)
|
||
|
# - if the address is in the black list, then immediately drop it
|
||
|
# - otherwise, wait up to 3 seconds for valid SSL data to come in. If those
|
||
|
# data are identified as SSL, the connection is immediately accepted, and
|
||
|
# if they are definitely identified as non-SSL, the connection is rejected,
|
||
|
# which will happen upon timeout if they still don't match SSL.
|
||
|
|
||
|
listen block-non-ssl
|
||
|
log 127.0.0.1:514 local0
|
||
|
option tcplog
|
||
|
|
||
|
mode tcp
|
||
|
bind :8443
|
||
|
timeout client 6s
|
||
|
timeout server 6s
|
||
|
timeout connect 6s
|
||
|
|
||
|
tcp-request inspect-delay 4s
|
||
|
|
||
|
acl white_list src 127.0.0.2
|
||
|
acl black_list src 127.0.0.3
|
||
|
|
||
|
# note: SSLv2 is not used anymore, SSLv3.1 is TLSv1.
|
||
|
acl obsolete_ssl req_ssl_ver lt 3
|
||
|
acl correct_ssl req_ssl_ver 3.0-3.1
|
||
|
acl invalid_ssl req_ssl_ver gt 3.1
|
||
|
|
||
|
tcp-request content accept if white_list
|
||
|
tcp-request content reject if black_list
|
||
|
tcp-request content reject if !correct_ssl
|
||
|
|
||
|
balance roundrobin
|
||
|
server srv1 127.0.0.1:443
|
||
|
|