# HAProxy configuration generated by https://github.com/appscode/voyager # DO NOT EDIT! global daemon stats socket /tmp/haproxy server-state-file global server-state-base /var/state/haproxy/ # log using a syslog socket log /dev/log local0 info log /dev/log local0 notice tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK defaults log global # https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose # https://github.com/appscode/voyager/pull/403 option dontlognull option http-server-close # Timeout values timeout client 50s timeout client-fin 50s timeout connect 50s timeout server 50s timeout tunnel 50s # Configure error files # default traffic mode is http # mode is overwritten in case of tcp services mode http frontend http-80 bind *:80 mode http # Limit Connections acl is_proxy_https hdr(X-Forwarded-Proto) https acl acme_req path_beg /.well-known/acme-challenge/ redirect scheme https code 301 if ! is_proxy_https ! acme_req option httplog option forwardfor acl url_acl_voyager-operator.kube-system:56791-7jnwpk path_beg /.well-known/acme-challenge/ use_backend voyager-operator.kube-system:56791-7jnwpk if url_acl_voyager-operator.kube-system:56791-7jnwpk backend voyager-operator.kube-system:56791-7jnwpk server pod-voyager-operator-2418478371-vn86x 10.36.1.4:56791 frontend http-443 bind *:443 ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/ssl/private/haproxy/tls/ \ alpn http/1.1 # Mark all cookies as secure rsprep ^Set-Cookie:\\ (.*) Set-Cookie:\\ \\1;\\ Secure # Add the HSTS header with a 6 month default max-age rspadd \ Strict-Transport-Security:\\ max-age=15768000 mode http option httplog option forwardfor acl host_acl_web.default:80-amkcr3 hdr(host) -i kiteci.com acl host_acl_web.default:80-amkcr3 hdr(host) -i kiteci.com:443 acl url_acl_web.default:80-amkcr3 path_beg / use_backend web.default:80-amkcr3 if host_acl_web.default:80-amkcr3 url_acl_web.default:80-amkcr3 backend web.default:80-amkcr3 server pod-nginx-4217019353-j3dr1 10.36.1.5:80