代码
注册 登录
简体中文
简体中文 English
openoker
/
MeshCentral
1
0
收藏 0
文件 工单管理 0 Wiki
目录树: f33768fe32
分支列表 标签列表

haproxy-with-sni-sample.cfg 2.1 KB
文件历史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 
  1. # Uses proxy protocol in HAProxy in combination with SNI to preserve the original host address
    2. 

  2. # Update the config.json to work with HAProxy
    3. 

  3. # Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener)
    4. 

  4. # "tlsOffload": "10.1.1.10",
    5. 

  5. # 
    6. 

  6. # Specify the HAPRoxy URL with the hostname to get the certificate
    7. 

  7. # "certUrl": "https://mc.publicdomain.com:443/"
    8. 

  8. 

  9. frontend sni-front
    10. 

  10.         bind 10.1.1.10:443
    11. 

  11.         mode tcp
    12. 

  12.         tcp-request inspect-delay 5s
    13. 

  13.         tcp-request content accept if { req_ssl_hello_type 1 }
    14. 

  14.         default_backend sni-back
    15. 

  15. 

  16. backend sni-back
    17. 

  17.         mode tcp
    18. 

  18.         acl gitlab-sni req_ssl_sni -i gitlab.publicdomain.com
    19. 

  19.         acl mc-sni req_ssl_sni -i mc.publicdomain.com
    20. 

  20.         use-server gitlabSNI if gitlab-sni
    21. 

  21.         use-server mc-SNI if mc-sni
    22. 

  22.         server mc-SNI 10.1.1.10:1443 send-proxy-v2-ssl-cn
    23. 

  23.         
    24. 

  24. frontend cira-tcp-front
    25. 

  25.         bind 10.1.1.10:4433
    26. 

  26.         mode tcp
    27. 

  27.         option tcplog
    28. 

  28.         tcp-request inspect-delay 5s
    29. 

  29.         default_backend mc-cira-back
    30. 

  30. 

  31. backend cira-tcp-back
    32. 

  32.         mode tcp
    33. 

  33.         server mc-cira 10.1.1.30:4433
    34. 

  34. 

  35. frontend mc-front-HTTPS
    36. 

  36.         mode http
    37. 

  37.         option forwardfor
    38. 

  38.         bind 10.1.1.10:1443 ssl crt /etc/haproxy/vm.publicdomain.net.pem accept-proxy
    39. 

  39.         http-request set-header X-Forwarded-Proto https
    40. 

  40.         option tcpka
    41. 

  41.         default_backend mc-back-HTTP
    42. 

  42. 

  43. backend mc-back-HTTPS
    44. 

  44.         mode http
    45. 

  45.         option forwardfor
    46. 

  46.         http-request add-header X-Forwarded-Host %[req.hdr(Host)]
    47. 

  47.         option http-server-close
    48. 

  48.         server mc-01 10.1.1.30:443 check port 443 verify none
    49. 

  49. 

  50. # In the event that it is required to have TLS between HAProxy and Meshcentral, 
    51. 

  51. # Remove the tls_Offload line and replace with trustedProxy
    52. 

  52. # Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener)
    53. 

  53. # "trustedProxy": "10.1.1.10",
    54. 

  54. # and change the last line of backend mc-back-HTTPS to use HTTPS by adding the ssl keyword
    55. 

  55. # server mc-01 10.1.1.30:443 check ssl port 443 verify none
    56.