ini haproxy.cfg节将启用Perfect Forward Secrecy和HTTP严格传输安全性。需要OpenSSL 1.0.1g左右。

Posted 2021-05-24

# Bind SSL port with PFS-enabling cipher suite
bind :443 ssl crt path_to_certificate no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:!MD5:!aNULL:!DH:!RC4

# Distinguish between secure and insecure requests
acl secure dst_port eq 443

# Mark all cookies as secure if sent over SSL
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure

# Add the HSTS header with a 1 year max-age
rspadd Strict-Transport-Security:\ max-age=31536000 if secure

ini haproxy.cfg

global
    ca-base /etc/ssl/certs

    log 127.0.0.1 local0
    daemon
    maxconn 256

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    option forwardfor
    option http-server-close

frontend packages
    bind *:80
    default_backend my-backend
    
    # /cloudpassage
    acl p_cloudpassage path_beg /cloudpassage/
    use_backend cloudpassage if p_cloudpassage

backend cloudpassage
    server cloudpassage production.packages.cloudpassage.com:443 ssl ca-file ca-bundle.crt verifyhost production.packages.cloudpassage.com

    # /cloudpassage/cphalo-LATEST-win64.exe ===> https://packages.cloudpassage.com/windows/cphalo-4.2.2-win64.exe
    acl p_cpwin path_beg /cloudpassage/cphalo-LATEST-win
    http-request set-path %[path,regsub(/cloudpassage/cphalo-LATEST,/windows/cphalo-4.2.2)] if p_cpwin

    # /cloudpassage/cloudpassage.packages.key ===> https://packages.cloudpassage.com/cloudpassage.packages.key
    acl p_cpkey path /cloudpassage/cloudpassage.packages.key

    # NOTE(kgriffs): We should avoid proxying repo requests unless for some reason the customer
    #   refuses to open a route to packages.cloudpassage.com:443 in their firewall. That way, we
    #   aren't on the critical path each time someone does a yum update.
    #
    # /cloudpassage/debian/* ===> https://packages.cloudpassage.com/debian/*
    # /cloudpassage/redhat/* ===> https://packages.cloudpassage.com/redhat/*
    acl p_cprepo path_reg /cloudpassage/(debian|redhat)/

    http-request set-path %[path,regsub(/cloudpassage/,/)] if p_cpkey or p_cprepo

backend my-backend
    balance roundrobin
    server app01 127.0.0.1:8080 check
    server app02 127.0.0.1:8080 check