12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 |
- # Uses proxy protocol in HAProxy in combination with SNI to preserve the original host address
- # Update the config.json to work with HAProxy
- # Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener)
- # "tlsOffload": "10.1.1.10",
- #
- # Specify the HAPRoxy URL with the hostname to get the certificate
- # "certUrl": "https://mc.publicdomain.com:443/"
- frontend sni-front
- bind 10.1.1.10:443
- mode tcp
- tcp-request inspect-delay 5s
- tcp-request content accept if { req_ssl_hello_type 1 }
- default_backend sni-back
- backend sni-back
- mode tcp
- acl gitlab-sni req_ssl_sni -i gitlab.publicdomain.com
- acl mc-sni req_ssl_sni -i mc.publicdomain.com
- use-server gitlabSNI if gitlab-sni
- use-server mc-SNI if mc-sni
- server mc-SNI 10.1.1.10:1443 send-proxy-v2-ssl-cn
-
- frontend cira-tcp-front
- bind 10.1.1.10:4433
- mode tcp
- option tcplog
- tcp-request inspect-delay 5s
- default_backend mc-cira-back
- backend cira-tcp-back
- mode tcp
- server mc-cira 10.1.1.30:4433
- frontend mc-front-HTTPS
- mode http
- option forwardfor
- bind 10.1.1.10:1443 ssl crt /etc/haproxy/vm.publicdomain.net.pem accept-proxy
- http-request set-header X-Forwarded-Proto https
- option tcpka
- default_backend mc-back-HTTP
- backend mc-back-HTTPS
- mode http
- option forwardfor
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- option http-server-close
- server mc-01 10.1.1.30:443 check port 443 verify none
- # In the event that it is required to have TLS between HAProxy and Meshcentral,
- # Remove the tls_Offload line and replace with trustedProxy
- # Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener)
- # "trustedProxy": "10.1.1.10",
- # and change the last line of backend mc-back-HTTPS to use HTTPS by adding the ssl keyword
- # server mc-01 10.1.1.30:443 check ssl port 443 verify none
|