2022-08-16 21:58:40 +01:00
|
|
|
# Uses proxy protocol in HAProxy in combination with SNI to preserve the original host address
|
|
|
|
# Update the config.json to work with HAProxy
|
2022-08-22 07:34:24 +01:00
|
|
|
# Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener)
|
|
|
|
# "tlsOffload": "10.1.1.10",
|
2022-08-16 21:58:40 +01:00
|
|
|
#
|
2022-08-22 07:34:24 +01:00
|
|
|
# Specify the HAPRoxy URL with the hostname to get the certificate
|
|
|
|
# "certUrl": "https://mc.publicdomain.com:443/"
|
2022-08-16 21:58:40 +01:00
|
|
|
|
|
|
|
frontend sni-front
|
|
|
|
bind 10.1.1.10:443
|
|
|
|
mode tcp
|
|
|
|
tcp-request inspect-delay 5s
|
|
|
|
tcp-request content accept if { req_ssl_hello_type 1 }
|
|
|
|
default_backend sni-back
|
|
|
|
|
|
|
|
backend sni-back
|
|
|
|
mode tcp
|
|
|
|
acl gitlab-sni req_ssl_sni -i gitlab.publicdomain.com
|
|
|
|
acl mc-sni req_ssl_sni -i mc.publicdomain.com
|
|
|
|
use-server gitlabSNI if gitlab-sni
|
|
|
|
use-server mc-SNI if mc-sni
|
|
|
|
server mc-SNI 10.1.1.10:1443 send-proxy-v2-ssl-cn
|
|
|
|
|
|
|
|
frontend mc-front-HTTPS
|
|
|
|
mode http
|
|
|
|
option forwardfor
|
|
|
|
bind 10.1.1.10:1443 ssl crt /etc/haproxy/vm.publicdomain.net.pem accept-proxy
|
|
|
|
http-request set-header X-Forwarded-Proto https
|
|
|
|
option tcpka
|
|
|
|
default_backend mc-back-HTTP
|
|
|
|
|
|
|
|
backend mc-back-HTTPS
|
|
|
|
mode http
|
|
|
|
option forwardfor
|
|
|
|
http-request add-header X-Forwarded-Host %[req.hdr(Host)]
|
|
|
|
option http-server-close
|
|
|
|
server mc-01 10.1.1.30:443 check port 443 verify none
|
|
|
|
|
2022-08-22 07:34:24 +01:00
|
|
|
# In the event that it is required to have TLS between HAProxy and Meshcentral,
|
|
|
|
# Remove the tls_Offload line and replace with trustedProxy
|
|
|
|
# Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener)
|
|
|
|
# "trustedProxy": "10.1.1.10",
|
|
|
|
# and change the last line of backend mc-back-HTTPS to use HTTPS by adding the ssl keyword
|
|
|
|
# server mc-01 10.1.1.30:443 check ssl port 443 verify none
|