global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options) # set default parameters to the intermediate configuration tune.ssl.default-dh-param 4096 ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-dh-param-file /path/to/dhparam defaults # enables tcplog so disabled # log global mode http # option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http # TCP LB (443) frontend 443-in bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem mode tcp # DoT use_backend dns-dot if { ssl_fc_sni dot.DOMAIN } # TCP LB (853) frontend 853-in bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem mode tcp # DoT use_backend dns-dot if { ssl_fc_sni dot.DOMAIN } backend dns-dot mode tcp server dot 127.0.0.1:5353 check # TCP LB (443) frontend 443-in-doh bind :80 bind 104.244.78.187:443 strict-sni tfo ssl crt /etc/haproxy/certs alpn h2,http/2 bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs alpn h2,http/2 mode http http-request redirect scheme https unless { ssl_fc } rspidel (Server|x-powered-by|x-frontend) http-response set-header Strict-Transport-Security max-age=63072000 http-response set-header X-Frontend lv1 use_backend check if { path /check } acl doh-frontend1 hdr(host) -i doh.lDOMAIN use_backend http_nginx if dotweb-frontend1 # default_backend nginx backend dns-doh mode http server dns-doh 127.0.0.1:8053 check http-response set-header Strict-Transport-Security max-age=63072000 backend check mode http errorfile 503 /root/dns/check.http