mirror of
https://github.com/balena-io/open-balena.git
synced 2024-12-30 10:38:51 +00:00
99dd615e55
Add a service which will acquire certificates from an ACME cert provider, such as LetsEncrypt (), to allow an openBalena instance to use a publicly trusted certificate instead of the self-signed one it wil generate on setup. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
120 lines
2.7 KiB
INI
120 lines
2.7 KiB
INI
global
|
|
tune.ssl.default-dh-param 1024
|
|
|
|
defaults
|
|
timeout connect 5000
|
|
timeout client 50000
|
|
timeout server 50000
|
|
|
|
frontend http-in
|
|
mode http
|
|
option forwardfor
|
|
bind *:80
|
|
reqadd X-Forwarded-Proto:\ http
|
|
|
|
acl is_cert_validation path -i -m beg "/.well-known/acme-challenge/"
|
|
use_backend cert-provider if is_cert_validation
|
|
|
|
acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
|
|
use_backend backend_api if host_api
|
|
|
|
acl host_registry hdr_dom(host) -i "registry.${HAPROXY_HOSTNAME}"
|
|
use_backend backend_registry if host_registry
|
|
|
|
acl host_vpn hdr_dom(host) -i "vpn.${HAPROXY_HOSTNAME}"
|
|
use_backend backend_vpn if host_vpn
|
|
|
|
acl host_s3 hdr_dom(host) -i "s3.${HAPROXY_HOSTNAME}"
|
|
use_backend backend_s3 if host_s3
|
|
|
|
frontend ssl-in
|
|
mode tcp
|
|
bind *:443
|
|
tcp-request inspect-delay 2s
|
|
tcp-request content accept if { req.ssl_hello_type 1 }
|
|
|
|
acl is_ssl req.ssl_ver 2:3.4
|
|
use_backend redirect-to-https-in if is_ssl
|
|
use_backend vpn-devices if !is_ssl
|
|
|
|
backend redirect-to-https-in
|
|
mode tcp
|
|
balance roundrobin
|
|
server localhost 127.0.0.1:444 send-proxy-v2
|
|
|
|
frontend https-in
|
|
mode http
|
|
option forwardfor
|
|
bind 127.0.0.1:444 ssl crt /etc/ssl/private/open-balena.pem accept-proxy
|
|
reqadd X-Forwarded-Proto:\ https
|
|
|
|
acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
|
|
use_backend backend_api if host_api
|
|
|
|
acl host_registry hdr_dom(host) -i "registry.${HAPROXY_HOSTNAME}"
|
|
use_backend backend_registry if host_registry
|
|
|
|
acl host_vpn hdr_dom(host) -i "vpn.${HAPROXY_HOSTNAME}"
|
|
use_backend backend_vpn if host_vpn
|
|
|
|
acl host_s3 hdr_dom(host) -i "s3.${HAPROXY_HOSTNAME}"
|
|
use_backend backend_s3 if host_s3
|
|
|
|
backend backend_api
|
|
mode http
|
|
option forwardfor
|
|
balance roundrobin
|
|
server resin_api_1 api:80 check port 80
|
|
|
|
backend backend_registry
|
|
mode http
|
|
option forwardfor
|
|
balance roundrobin
|
|
server resin_registry_1 registry:80 check port 80
|
|
|
|
backend backend_vpn
|
|
mode http
|
|
option forwardfor
|
|
balance roundrobin
|
|
server resin_vpn_1 vpn:80 check port 80
|
|
|
|
backend backend_s3
|
|
mode http
|
|
option forwardfor
|
|
balance roundrobin
|
|
|
|
backend cert-provider
|
|
mode http
|
|
option forwardfor
|
|
balance roundrobin
|
|
server resin_cert-provider_1 cert-provider:80 no-check
|
|
|
|
backend vpn-devices
|
|
mode tcp
|
|
server resin_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
|
|
|
|
frontend db
|
|
mode tcp
|
|
bind *:5432
|
|
default_backend backend_db
|
|
timeout client 1h
|
|
|
|
backend backend_db
|
|
mode tcp
|
|
server resin_db_1 db:5432 check port 5432
|
|
|
|
frontend redis
|
|
mode tcp
|
|
bind *:6379
|
|
default_backend backend_redis
|
|
timeout client 1h
|
|
|
|
backend backend_redis
|
|
mode tcp
|
|
server resin_redis_1 redis:6379 check port 6379
|
|
|
|
listen vpn-tunnel
|
|
mode tcp
|
|
bind *:3128
|
|
server balena_vpn vpn:3128 check port 3128
|