Useful haproxy.cfg file for your reverse proxy needs with some added security. In frontend stats you need to change the default username:password to securely access (locally) the statistics webui at port 9000 or any other port you choose. This configuration is great if you have multiple domains behind a router and was built for openwrt so you might need to teak some parameters to fit your OS requirements. All http requests are being forwarded to https for inspection and then forwarded again to the appropriate backend server all though OSI 4 transport layer packet inspection. All ssl certificates are being managed for the backend servers.
Check your configuration with:
haproxy -c -f /etc/haproxy.cfgIf all goes well type:
/etc/init.d/haproxy restart/etc/haproxy.cfg:
# Global settings
global
daemon # Run HAProxy in daemon mode
nosplice # Disable using splice for receiving and transmitting data
# Default settings
defaults
log global # Log messages to the global log facility
mode http # Set the default mode to HTTP
option httplog # Enable HTTP request/response logging
log 127.0.0.1:514 local0 # Log messages to the local syslog server
log /var/log/haproxy.log local0 # Log messages to a custom log file
timeout client 30s # Set client timeout to 30 seconds
timeout connect 30s # Set connect timeout to 30 seconds
timeout server 30s # Set server timeout to 30 seconds
# Frontend for HAProxy statistics
frontend stats
bind *:9000 # Listen on port 9000
mode http # Set mode to HTTP
stats enable # Enable statistics reporting
stats uri /haproxy # Set URI path for accessing statistics
stats realm HAProxy\ Statistics # Set realm for HTTP authentication
stats auth username:password # Set username and password for HTTP authentication
# Frontend for HTTP traffic
frontend http_in
mode http # Set mode to HTTP
option httplog # Enable HTTP request/response logging
bind *:80 # Listen for HTTP traffic on port 80
http-request redirect scheme https # Redirect HTTP traffic to HTTPS
option forwardfor # Add X-Forwarded-For header to forwarded requests
# Add enhanced security headers
http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload # Add HSTS header
http-response add-header Content-Security-Policy default-src\ 'self' # Add CSP header
# Frontend for HTTPS traffic
frontend https_in
mode tcp # Set mode to TCP for handling encrypted traffic
option tcplog # Enable TCP logging
bind *:443 # Listen for HTTPS traffic on port 443
acl tls req.ssl_hello_type 1 # Check for TLS handshake
tcp-request inspect-delay 5s # Delay inspection of traffic by 5 seconds
tcp-request content accept if { req_ssl_hello_type 1 } # Accept traffic after TLS handshake
# Track session data for rate limiting
stick-table type ip size 100k expire 30m # Define session tracking table
tcp-request content track-sc0 src # Track session data based on source IP
# Use backend based on SNI
use_backend %[req_ssl_sni,lower,word(1,:)]_tls # Select backend based on SNI
# Backend servers for HTTPS traffic
backend example1.com_tls
mode tcp # Set mode to TCP
server example1.com 192.168.1.101:443 check # Define backend server and its IP address
backend example2.com_tls
mode tcp # Set mode to TCP
server example2.com 192.168.1.102:443 check # Define backend server and its IP address
backend example3.com_tls
mode tcp # Set mode to TCP
server example3.com 192.168.1.103:443 check # Define backend server and its IP address
backend example4.com_tls
mode tcp # Set mode to TCP
server example4.com 192.168.1.104:443 check # Define backend server and its IP address