차이

문서의 선택한 두 판 사이의 차이를 보여줍니다.

--- haproxy_설정_예제 [2018/10/18 13:54] – 만듦 koov
+++ haproxy_설정_예제 [2024/07/19 09:41] (현재) – koov
@@ 줄 15: / 줄 15: @@
 	# Default SSL material locations
+	tune.ssl.default-dh-param  2048
 	ca-base /etc/ssl/certs
 	crt-base /etc/ssl/private
@@ 줄 23: / 줄 24: @@
 	# An alternative list with additional directives can be obtained from
 	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
-	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-	ssl-default-bind-options no-sslv3
+	#ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+	ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+	#ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+	# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
+	ssl-dh-param-file /etc/haproxy/ssl/dhparam.pem
 defaults
@@ 줄 31: / 줄 40: @@
 	option	httplog
 	option	dontlognull
+	option	forwardfor
+	#option	transparent
         timeout connect 5000
         timeout client  50000
@@ 줄 42: / 줄 53: @@
 	errorfile 504 /etc/haproxy/errors/504.http
-frontend http
+frontend web
 	bind *:80
-        acl is_home.koov.net		hdr(host) -i home.koov.net
+        #bind *:443 ssl crt /etc/haproxy/ssl/nas.sample.net.pem crt /etc/haproxy/ssl/company.com.pem crt /etc/haproxy/ssl/office.com.pem crt /etc/haproxy/ssl/dev.sample.net.pem crt /etc/haproxy/ssl/jenkins.sample.net.pem
-        acl is_dev.koov.net		hdr(host) -i dev.koov.net
-        acl is_mail.koov.net		hdr(host) -i mail.koov.net
+	# 인증서를 하나의 파일로 묶어서 서비스 하는 방법
-        acl is_talk.koov.net		hdr(host) -i talk.koov.net
+	# crt-list.txt 예제 참조
-        acl is_nas.linuxdata.kr         hdr(host) -i nas.linuxdata.kr
+        bind *:443 ssl crt-list /etc/haproxy/ssl/crt-list.txt ca-file /etc/haproxy/ssl/ca.pem verify optional alpn h2,http/1.1
+        #reqadd X-Forwarded-Proto:\ https
-	# 호스트명이 allthatlinux.com, 이나 linuxdata.kr 으로 끝나는 모든 요청
+        http-request set-header X-SSL %[ssl_fc]
-	acl is_allthatlinux.com		hdr_end(host) -i allthatlinux.com
+	http-request set-header X-Forwarded-Port %[dst_port]
-	acl is_linuxdata.kr		hdr_end(host) -i linuxdata.kr
+	http-request add-header X-Forwarded-Proto https if { ssl_fc }
+	http-response set-header Cache-Control no-cache,\ max-age="600"
-	# nas 요청중 / 요청을 리다이렉션
+	## CertBot Let's Encrypt
+	# Test URI to see if its a letsencrypt request
+	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+	use_backend letsencrypt-backend if letsencrypt-acl
+	## Host Setting
+        acl is_nas.sample.net           hdr(host) -i nas.sample.net
+        acl is_plex.sample.net		hdr(host) -i plex.sample.net
+	acl is_meet.sample.net		hdr(host) -i meet.sample.net
+        acl is_mon.sample.net		hdr(host) -i mon.sample.net
+        acl is_db.sample.net		hdr(host) -i db.sample.net
+        acl is_m.sample.net		hdr(host) -i m.sample.net
+        # 호스트명이 XXX 으로 끝나는 모든 요청
+        acl is_mydomain.kr                  hdr_end(host) -i mydomain.kr
+        acl is_sample.net                 hdr_end(host) -i sample.net
+        acl is_fatp.org                 hdr_end(host) -i fatp.org
+        # 요청을 리다이렉션
         #acl is_redirect_nas             path -i /
-        #redirect code 301 location /webman/index.cgi if is_redirect_nas is_nas.linuxdata.kr
+        #redirect code 301 location /webman/index.cgi if is_redirect_nas is_nas.office.com
-        #redirect code 301 location http://nas.linuxdata.kr/webman/index.cgi if is_redirect_nas
+        #redirect code 301 location http://nas.office.com/webman/index.cgi if is_redirect_nas
-        #redirect prefix /webman/index.cgi code 301 if is_nas.linuxdata.kr is_redirect_nas
+        #redirect prefix /webman/index.cgi code 301 if is_nas.office.com is_redirect_nas
-        ## figure out which one to use
+	## Backend Setting
-        use_backend backend_home.koov.net	if is_home.koov.net
+        use_backend backend_company.com			if is_company.com or is_office.com
-        use_backend backend_dev.koov.net	if is_dev.koov.net
+        use_backend backend_nas.sample.net		if is_nas.sample.net
-        use_backend backend_mail.koov.net	if is_mail.koov.net
+        use_backend backend_plex.sample.net		if is_plex.sample.net
-        use_backend backend_talk.koov.net	if is_talk.koov.net
+        use_backend backend_meet.sample.net		if is_meet.sample.net
-        use_backend backend_allthatlinux.com    if is_allthatlinux.com or is_linuxdata.kr
+        use_backend backend_mon.sample.net		if is_mon.sample.net
+	use_backend backend_dev.sample.net		if is_dev.sample.net
+	use_backend backend_m.sample.net		if is_m.sample.net
+        use_backend backend_mydomain.kr			if is_mydomain.kr
+        use_backend backend_m.second.domain		if is_m.second.domain
+        use_backend backend_j.second.domain		if is_j.second.domain
+        use_backend backend_k.second.domain		if is_k.second.domain
+        use_backend backend_l.second.domain		if is_l.second.domain
+        use_backend backend_www.sample.net		if is_sample.net
-        default_backend backend_home.koov.net
+        #use_backend backend_https_registry.sample.net	if is_registry.sample.net { ssl_fc }
+        #use_backend backend_registry.sample.net	if is_registry.sample.net
+	# 기본 백엔드 설정
+        default_backend backend_deny
-backend backend_home.koov.net
+	http-response set-header Strict-Transport-Security max-age=63072000
-        server  static  192.168.0.24:80        check
-backend backend_dev.koov.net
+backend backend_nas.sample.net
-        server  static  192.168.0.27:80        check
+	redirect scheme https code 301 if !{ ssl_fc }
+        server  static  192.168.0.8:5000	check
-backend backend_allthatlinux.com
+backend backend_dev.sample.net
-        server  static  192.168.0.21:80        check
+	#redirect scheme https code 301 if !{ ssl_fc }
+        server  static  192.168.0.27:80		check
-backend backend_talk.koov.net
+backend backend_company.com
-        server  static  192.168.0.28:80        check
+	redirect scheme https code 301 if !{ ssl_fc }
+        server  static  192.168.0.21:80		check
-backend backend_mail.koov.net
+backend backend_www.sample.net
-        server  static  192.168.0.19:80        check
+	redirect scheme https code 301 if !{ ssl_fc }
+        server  static  192.168.0.30:80		check
-### Mysql Connection Forward
+backend backend_www.fatp.org
-listen  mysql-db1
+	redirect scheme https code 301 if !{ ssl_fc }
-        bind *:3306
+        server  static  192.168.0.31:80		check
-        mode tcp
+backend backend_meet.sample.net
+	redirect scheme https code 301 if !{ ssl_fc }
+        server  static 192.168.0.28:443	check ssl verify none
+backend backend_mon.sample.net
+	redirect scheme https code 301 if !{ ssl_fc }
+        server  static  192.168.0.15:80		check
+backend backend_plex.sample.net
+	redirect scheme https code 301 if !{ ssl_fc }
+        server  static  192.168.0.26:32400	check
+#backend backend_https_registry.sample.net
+#	#server server1 backend:3000 weight 1 maxconn 8192 check ssl verify none
+#        server  static 192.168.0.30:443	check ssl verify none
+# m.second.domain
+backend backend_m.second.domain
+	redirect scheme https code 301 if !{ ssl_fc }
+        server  static  192.168.0.38:80		check
+# LE Backend
+backend letsencrypt-backend
+	server letsencrypt 127.0.0.1:8888
+## deny backend
+backend backend_deny
+	http-request deny deny_status 400
+#### MySQL # -> iptime 에서 direct forwarding 하므로 필요없음
+#listen  db.sample.net
+#        bind *:3306
+#        mode tcp
         #timeout client  10800s
         #timeout server  10800s
-        balance leastconn
+#        balance leastconn
         #option httpchk
         #option allbackups
         #default-server port 9200 inter 2s downinter 5s rise 3 fall 2 slowstart 60s maxconn 64 maxqueue 128 weight 100
-        server mysql1 192.168.0.30:3306 check  # Destination DB Server
+#        server db.sample.net 192.168.0.20:3306 check
+</code>
+</WRAP>
+===== 통합인증서 파일 설정 crt-list.txt =====
+<WRAP prewrap>
+<code bash>
+root@proxy:/etc/haproxy/ssl# cat crt-list.txt
+/etc/haproxy/ssl/domain2.localdomain.pem
+/etc/haproxy/ssl/domain.localdomain.pem
+# 통합 인증서파일 생성방법
+cat /etc/letsencrypt/live/domain.localdomain/cert.pem /etc/letsencrypt/live/domain.localdomain/privkey.pem /etc/letsencrypt/live/domain.localdomain/chain.pem > /etc/haproxy/ssl/domain.localdomain.pem
+cat /etc/letsencrypt/live/domain2.localdomain/cert.pem /etc/letsencrypt/live/domain2.localdomain/privkey.pem /etc/letsencrypt/live/domain2.localdomain/chain.pem > /etc/haproxy/ssl/domain2.localdomain.pem
 </code>
 </WRAP>