DNSserver/configuration/haproxy.cfg


global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
        # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
        # set default parameters to the intermediate configuration
        ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
        ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
        ssl-dh-param-file /path/to/dhparam

defaults
#       enables tcplog so disabled
#       log     global
        mode    http
#       option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http


# TCP LB (443)
frontend 443-in
          bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
          bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
          mode tcp

        # DoT
        use_backend dns-dot if { ssl_fc_sni dot.domain.pem }

# TCP LB (853)
frontend 853-in
	bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
	bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
	mode tcp

	# DoT
	use_backend dns-dot if { ssl_fc_sni dot.domain }

backend dns-dot
	mode tcp
	server dot 127.0.0.1:5353 check

# TCP LB (443)
frontend 443-in-doh
	bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem
        bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem

        mode http

        http-response set-header Strict-Transport-Security max-age=63072000
	http-response set-header X-Frontend lv1

	use_backend check if { path /check }

	use_backend dns-doh if { hdr(host) -i doh.domain }

#	default_backend nginx

backend dns-doh
mode http
server dns-doh 127.0.0.1:8053 check

http-response set-header Strict-Transport-Security max-age=63072000

backend check
        mode http
        errorfile 503 /root/dns/check.http
Create haproxy.cfg 2021-01-01 12:11:38 +00:00
			`global`
			`log /dev/log local0`
			`log /dev/log local1 notice`
			`chroot /var/lib/haproxy`
			`stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners`
			`stats timeout 30s`
			`user haproxy`
			`group haproxy`
			`daemon`

			`# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern`
			# If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
			`# set default parameters to the intermediate configuration`
			`ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256`
			`ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets`
			`ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256`
			`ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets`

			`# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam`
			`ssl-dh-param-file /path/to/dhparam`

			`defaults`
			`# enables tcplog so disabled`
			`# log global`
			`mode http`
			`# option httplog`
			`option dontlognull`
			`timeout connect 5000`
			`timeout client 50000`
			`timeout server 50000`
			`errorfile 400 /etc/haproxy/errors/400.http`
			`errorfile 403 /etc/haproxy/errors/403.http`
			`errorfile 408 /etc/haproxy/errors/408.http`
			`errorfile 500 /etc/haproxy/errors/500.http`
			`errorfile 502 /etc/haproxy/errors/502.http`
			`errorfile 503 /etc/haproxy/errors/503.http`
			`errorfile 504 /etc/haproxy/errors/504.http`


			`# TCP LB (443)`
			`frontend 443-in`
			`bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem`
			`bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem`
			`mode tcp`

			`# DoT`
			`use_backend dns-dot if { ssl_fc_sni dot.domain.pem }`

			`# TCP LB (853)`
			`frontend 853-in`
			`bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem`
			`bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem`
			`mode tcp`

			`# DoT`
			`use_backend dns-dot if { ssl_fc_sni dot.domain }`

			`backend dns-dot`
			`mode tcp`
			`server dot 127.0.0.1:5353 check`

			`# TCP LB (443)`
			`frontend 443-in-doh`
Leaks Fixing 2021-01-28 09:38:44 +00:00			`bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem`
			`bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem`
Create haproxy.cfg 2021-01-01 12:11:38 +00:00
			`mode http`

			`http-response set-header Strict-Transport-Security max-age=63072000`
			`http-response set-header X-Frontend lv1`

			`use_backend check if { path /check }`

			`use_backend dns-doh if { hdr(host) -i doh.domain }`

			`# default_backend nginx`

			`backend dns-doh`
			`mode http`
			`server dns-doh 127.0.0.1:8053 check`

			`http-response set-header Strict-Transport-Security max-age=63072000`

			`backend check`
			`mode http`
			`errorfile 503 /root/dns/check.http`