DNSserver/configuration/haproxy.cfg
2021-02-15 09:31:26 +07:00

88 lines
2.9 KiB
INI

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
# If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
# set default parameters to the intermediate configuration
ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl-dh-param-file /path/to/dhparam
defaults
# enables tcplog so disabled
# log global
mode http
# option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# TCP LB (443)
frontend 443-in
bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
mode tcp
# DoT
use_backend dns-dot if { ssl_fc_sni dot.domain.pem }
# TCP LB (853)
frontend 853-in
bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
mode tcp
# DoT
use_backend dns-dot if { ssl_fc_sni dot.domain }
backend dns-dot
mode tcp
server dot 127.0.0.1:5353 check
# TCP LB (443)
frontend 443-in-doh
bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2
bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2
mode http
http-response set-header Strict-Transport-Security max-age=63072000
http-response set-header X-Frontend lv1
use_backend check if { path /check }
use_backend dns-doh if { hdr(host) -i doh.domain }
# default_backend nginx
backend dns-doh
mode http
server dns-doh 127.0.0.1:8053 check
http-response set-header Strict-Transport-Security max-age=63072000
backend check
mode http
errorfile 503 /root/dns/check.http