open-balena/haproxy/haproxy.cfg
Rich Bayliss 99dd615e55
certs: Add support for an ACME certificate provider
Add a service which will acquire certificates from an ACME cert
provider, such as LetsEncrypt (), to allow an openBalena instance
to use a publicly trusted certificate instead of the self-signed
one it wil generate on setup.

Change-type: patch
Signed-off-by: Rich Bayliss <rich@balena.io>
2019-03-08 12:23:46 +00:00

120 lines
2.7 KiB
INI

global
tune.ssl.default-dh-param 1024
defaults
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http-in
mode http
option forwardfor
bind *:80
reqadd X-Forwarded-Proto:\ http
acl is_cert_validation path -i -m beg "/.well-known/acme-challenge/"
use_backend cert-provider if is_cert_validation
acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
use_backend backend_api if host_api
acl host_registry hdr_dom(host) -i "registry.${HAPROXY_HOSTNAME}"
use_backend backend_registry if host_registry
acl host_vpn hdr_dom(host) -i "vpn.${HAPROXY_HOSTNAME}"
use_backend backend_vpn if host_vpn
acl host_s3 hdr_dom(host) -i "s3.${HAPROXY_HOSTNAME}"
use_backend backend_s3 if host_s3
frontend ssl-in
mode tcp
bind *:443
tcp-request inspect-delay 2s
tcp-request content accept if { req.ssl_hello_type 1 }
acl is_ssl req.ssl_ver 2:3.4
use_backend redirect-to-https-in if is_ssl
use_backend vpn-devices if !is_ssl
backend redirect-to-https-in
mode tcp
balance roundrobin
server localhost 127.0.0.1:444 send-proxy-v2
frontend https-in
mode http
option forwardfor
bind 127.0.0.1:444 ssl crt /etc/ssl/private/open-balena.pem accept-proxy
reqadd X-Forwarded-Proto:\ https
acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
use_backend backend_api if host_api
acl host_registry hdr_dom(host) -i "registry.${HAPROXY_HOSTNAME}"
use_backend backend_registry if host_registry
acl host_vpn hdr_dom(host) -i "vpn.${HAPROXY_HOSTNAME}"
use_backend backend_vpn if host_vpn
acl host_s3 hdr_dom(host) -i "s3.${HAPROXY_HOSTNAME}"
use_backend backend_s3 if host_s3
backend backend_api
mode http
option forwardfor
balance roundrobin
server resin_api_1 api:80 check port 80
backend backend_registry
mode http
option forwardfor
balance roundrobin
server resin_registry_1 registry:80 check port 80
backend backend_vpn
mode http
option forwardfor
balance roundrobin
server resin_vpn_1 vpn:80 check port 80
backend backend_s3
mode http
option forwardfor
balance roundrobin
backend cert-provider
mode http
option forwardfor
balance roundrobin
server resin_cert-provider_1 cert-provider:80 no-check
backend vpn-devices
mode tcp
server resin_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
frontend db
mode tcp
bind *:5432
default_backend backend_db
timeout client 1h
backend backend_db
mode tcp
server resin_db_1 db:5432 check port 5432
frontend redis
mode tcp
bind *:6379
default_backend backend_redis
timeout client 1h
backend backend_redis
mode tcp
server resin_redis_1 redis:6379 check port 6379
listen vpn-tunnel
mode tcp
bind *:3128
server balena_vpn vpn:3128 check port 3128