commit 39c0fc31d574d009f8c33ec5b723a245e4bac87e Author: Nick Leffler Date: Sun Oct 25 02:08:34 2020 +0000 import from previous testing diff --git a/cfIps.txt b/cfIps.txt new file mode 100644 index 0000000..a924ca6 --- /dev/null +++ b/cfIps.txt @@ -0,0 +1,21 @@ +2400:cb00::/32 +2606:4700::/32 +2803:f800::/32 +2405:b500::/32 +2405:8100::/32 +2a06:98c0::/29 +2c0f:f248::/32 +173.245.48.0/20 +103.21.244.0/22 +103.22.200.0/22 +103.31.4.0/22 +141.101.64.0/18 +108.162.192.0/18 +190.93.240.0/20 +188.114.96.0/20 +197.234.240.0/22 +198.41.128.0/17 +162.158.0.0/15 +104.16.0.0/12 +172.64.0.0/13 +131.0.72.0/22 diff --git a/cloudflare_ips.lst b/cloudflare_ips.lst new file mode 100644 index 0000000..e85de6e --- /dev/null +++ b/cloudflare_ips.lst @@ -0,0 +1,21 @@ +173.245.48.0/20 +103.21.244.0/22 +103.22.200.0/22 +103.31.4.0/22 +141.101.64.0/18 +108.162.192.0/18 +190.93.240.0/20 +188.114.96.0/20 +197.234.240.0/22 +198.41.128.0/17 +162.158.0.0/15 +104.16.0.0/12 +172.64.0.0/13 +131.0.72.0/22 +2400:cb00::/32 +2606:4700::/32 +2803:f800::/32 +2405:b500::/32 +2405:8100::/32 +2a06:98c0::/29 +2c0f:f248::/32 diff --git a/haproxy.cfg b/haproxy.cfg new file mode 100644 index 0000000..cd5f281 --- /dev/null +++ b/haproxy.cfg @@ -0,0 +1,50 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats timeout 30s + user haproxy + group haproxy + daemon + +defaults + log global +# mode tcp + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + option http-server-close + +#### Main fron end #### +frontend https_front + bind *:443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 + + #### Stats Page #### + stats uri /haproxy?stats + stats auth nick:sBbGmTah67npAPvehEmi5q9NwS5GA + + #### Set correct IP #### + acl from_cf src -f /etc/haproxy/cloudflare_ips.lst + acl cf_ip_hdr req.hdr(CF-Connecting-IP) -m found +# http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr + http-request set-header real-ip1 %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr + + #### WP admin to single server #### + acl url_is_wp_admin path_beg /wp-admin /wp-login.php /manage /securein + use_backend adminServerHTTPS if url_is_wp_admin + + #### Configure Backends #### + default_backend webserversHTTPS + +#### Main Backend #### +backend webserversHTTPS + balance roundrobin + server web01.nicks.website 10.1.96.4:443 check ssl verify none + +#### Admin server #### +backend adminServerHTTPS + balance roundrobin + server web01.nicks.website 10.1.96.4:443 check ssl verify none diff --git a/haproxy.cfg.orig b/haproxy.cfg.orig new file mode 100644 index 0000000..91c125d --- /dev/null +++ b/haproxy.cfg.orig @@ -0,0 +1,90 @@ +#--------------------------------------------------------------------- +# Example configuration for a possible web application. See the +# full configuration options online. +# +# https://www.haproxy.org/download/1.8/doc/configuration.txt +# +#--------------------------------------------------------------------- + +#--------------------------------------------------------------------- +# Global settings +#--------------------------------------------------------------------- +global + # to have these messages end up in /var/log/haproxy.log you will + # need to: + # + # 1) configure syslog to accept network log events. This is done + # by adding the '-r' option to the SYSLOGD_OPTIONS in + # /etc/sysconfig/syslog + # + # 2) configure local2 events to go to the /var/log/haproxy.log + # file. A line like the following can be added to + # /etc/sysconfig/syslog + # + # local2.* /var/log/haproxy.log + # + log 127.0.0.1 local2 + + chroot /var/lib/haproxy + pidfile /var/run/haproxy.pid + maxconn 4000 + user haproxy + group haproxy + daemon + + # turn on stats unix socket + stats socket /var/lib/haproxy/stats + + # utilize system-wide crypto-policies + ssl-default-bind-ciphers PROFILE=SYSTEM + ssl-default-server-ciphers PROFILE=SYSTEM + +#--------------------------------------------------------------------- +# common defaults that all the 'listen' and 'backend' sections will +# use if not designated in their block +#--------------------------------------------------------------------- +defaults + mode http + log global + option httplog + option dontlognull + option http-server-close + option forwardfor except 127.0.0.0/8 + option redispatch + retries 3 + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 1m + timeout server 1m + timeout http-keep-alive 10s + timeout check 10s + maxconn 3000 + +#--------------------------------------------------------------------- +# main frontend which proxys to the backends +#--------------------------------------------------------------------- +frontend main + bind *:5000 + acl url_static path_beg -i /static /images /javascript /stylesheets + acl url_static path_end -i .jpg .gif .png .css .js + + use_backend static if url_static + default_backend app + +#--------------------------------------------------------------------- +# static backend for serving up images, stylesheets and such +#--------------------------------------------------------------------- +backend static + balance roundrobin + server static 127.0.0.1:4331 check + +#--------------------------------------------------------------------- +# round robin balancing between the various backends +#--------------------------------------------------------------------- +backend app + balance roundrobin + server app1 127.0.0.1:5001 check + server app2 127.0.0.1:5002 check + server app3 127.0.0.1:5003 check + server app4 127.0.0.1:5004 check diff --git a/haproxy.cfg.orig.1 b/haproxy.cfg.orig.1 new file mode 100644 index 0000000..91c125d --- /dev/null +++ b/haproxy.cfg.orig.1 @@ -0,0 +1,90 @@ +#--------------------------------------------------------------------- +# Example configuration for a possible web application. See the +# full configuration options online. +# +# https://www.haproxy.org/download/1.8/doc/configuration.txt +# +#--------------------------------------------------------------------- + +#--------------------------------------------------------------------- +# Global settings +#--------------------------------------------------------------------- +global + # to have these messages end up in /var/log/haproxy.log you will + # need to: + # + # 1) configure syslog to accept network log events. This is done + # by adding the '-r' option to the SYSLOGD_OPTIONS in + # /etc/sysconfig/syslog + # + # 2) configure local2 events to go to the /var/log/haproxy.log + # file. A line like the following can be added to + # /etc/sysconfig/syslog + # + # local2.* /var/log/haproxy.log + # + log 127.0.0.1 local2 + + chroot /var/lib/haproxy + pidfile /var/run/haproxy.pid + maxconn 4000 + user haproxy + group haproxy + daemon + + # turn on stats unix socket + stats socket /var/lib/haproxy/stats + + # utilize system-wide crypto-policies + ssl-default-bind-ciphers PROFILE=SYSTEM + ssl-default-server-ciphers PROFILE=SYSTEM + +#--------------------------------------------------------------------- +# common defaults that all the 'listen' and 'backend' sections will +# use if not designated in their block +#--------------------------------------------------------------------- +defaults + mode http + log global + option httplog + option dontlognull + option http-server-close + option forwardfor except 127.0.0.0/8 + option redispatch + retries 3 + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 1m + timeout server 1m + timeout http-keep-alive 10s + timeout check 10s + maxconn 3000 + +#--------------------------------------------------------------------- +# main frontend which proxys to the backends +#--------------------------------------------------------------------- +frontend main + bind *:5000 + acl url_static path_beg -i /static /images /javascript /stylesheets + acl url_static path_end -i .jpg .gif .png .css .js + + use_backend static if url_static + default_backend app + +#--------------------------------------------------------------------- +# static backend for serving up images, stylesheets and such +#--------------------------------------------------------------------- +backend static + balance roundrobin + server static 127.0.0.1:4331 check + +#--------------------------------------------------------------------- +# round robin balancing between the various backends +#--------------------------------------------------------------------- +backend app + balance roundrobin + server app1 127.0.0.1:5001 check + server app2 127.0.0.1:5002 check + server app3 127.0.0.1:5003 check + server app4 127.0.0.1:5004 check diff --git a/haproxy.cfg.tcp b/haproxy.cfg.tcp new file mode 100644 index 0000000..4215b85 --- /dev/null +++ b/haproxy.cfg.tcp @@ -0,0 +1,43 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats timeout 30s + user haproxy + group haproxy + daemon + +defaults + log global + mode tcp +# option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + +frontend http_front + bind *:80 + stats uri /haproxy?stats + stats auth admin:sBbGmTah67npAPvehEmi5q9NwS5GA + default_backend webserversHTTP + option http-server-close + option forwardfor + +frontend https_front + bind *:443 +# stats uri /haproxy?stats +# stats auth admin:sBbGmTah67npAPvehEmi5q9NwS5GA + option forwardfor + default_backend webserversHTTPS + option http-server-close + option forwardfor + +backend webserversHTTP + balance roundrobin + server web01.nicks.website 10.1.96.4:80 check +# server server_name2 private_ip2:80 check + +backend webserversHTTPS + balance roundrobin + server web01.nicks.website 10.1.96.4:443 check diff --git a/ssl/default.pem b/ssl/default.pem new file mode 100644 index 0000000..4b8ce59 --- /dev/null +++ b/ssl/default.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIDZTCCAk2gAwIBAgIUKwzWRNhZYN5EqO9fFDlcZ7HNwbowDQYJKoZIhvcNAQEL +BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE +CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMDA4MDIwNDEyMDJaFw0yMTA4MDIw +NDEyMDJaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa +BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDcXdGGpE9lD9TtAYxrpUtOEHQG2zyjpoNarBMm7hoILStM5gqC +zjbqs1xp+YLqWz0WpSFCYZI3XxgQt/2RsJGU5uYGzSP/IP+1cUzh6ezzyeQwVWPB +JjaSIOHWNjBzlFZTBeP3cOj3SJf5xY1IQWRySjNU2GtspextC+QaVJ2rGQaHeyh2 +Oj9eXvrn1I4TyZ3UmnJJFlzcEaXlpzMbAcm/OnrVG8x8jybI1UU+j+516qw1d64z +Wy0BqOzbHnmZsTOvTEYBxDdQ1UKJTvy6WmFvEez1Kqt7ZsvIz1zZpYf2hdrmTRjs +YQQEhH0fyGFuERKoMWMl7bri8WnidgFRfSqLAgMBAAGjUzBRMB0GA1UdDgQWBBRz +ZvueynrqkSoNGTmpCuj/aaTV8TAfBgNVHSMEGDAWgBRzZvueynrqkSoNGTmpCuj/ +aaTV8TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCXG0gPdDUv +O9atEcu8aOL79jCLnVcJbib7nuBAa+ujka9hLekODzH29mw7uPMczbQtbVaVDd8q +RHC6ku4IEZ+zNIat3q8oKBHdKOxCOgZ6p9G3YeJV9pIlnUkRG1963WIq5cgo9stc +k7AOJgEeiWMxgvwAUQYvQ5DBYGw5xZT+mkz//RGoK+wnEIAn1l+XwtQ0t0Np/fp2 +9Qnm+O5BInCTy1V36TMSWwwBuLivswevMX40Am4N7TxntFygHIo+TUW1Y2ZEkaJS +Cqb/nZdoPCsMtWOBwdoxAzLOLJU8xV8jVQvjwydGCx4QJ7SjW1pZFnE2o1hAHO2i ++khEsnkPHuvJ +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcXdGGpE9lD9Tt +AYxrpUtOEHQG2zyjpoNarBMm7hoILStM5gqCzjbqs1xp+YLqWz0WpSFCYZI3XxgQ +t/2RsJGU5uYGzSP/IP+1cUzh6ezzyeQwVWPBJjaSIOHWNjBzlFZTBeP3cOj3SJf5 +xY1IQWRySjNU2GtspextC+QaVJ2rGQaHeyh2Oj9eXvrn1I4TyZ3UmnJJFlzcEaXl +pzMbAcm/OnrVG8x8jybI1UU+j+516qw1d64zWy0BqOzbHnmZsTOvTEYBxDdQ1UKJ +Tvy6WmFvEez1Kqt7ZsvIz1zZpYf2hdrmTRjsYQQEhH0fyGFuERKoMWMl7bri8Wni +dgFRfSqLAgMBAAECggEASdwwNB6ydb8esOmJ9TKL0Ph2yy2EX52Z/TQbnzrDAuaQ +0s9vynPvuC6x1NtKY9581TA3u5YUefanjEL+/Gvf/7Z8dt8fJ44Z5ui4yierwfJz +Rzf3nW9/bu8Sgsfa6YJYhK8+v1ra2rc8KP1r40H3ts7j8ZYwO1RJsCsCI0klJ4k2 +T8lOzXoA3nG+MhXgBY/4BSuYpvwOuS8xPBnR2AU9aY9LkMJdpF9WtPz6kmF+TrCg +cHyH3FC7anSOuppClpPTRSiQuE76Nk6wOOB6E4YNaKBwu34QiRUjtJjXCP2oHmmT +VDBMruwtF6nCtG6KN2uoLSiF1Rqtpj1qDCrEsxvnUQKBgQD65uVFCXTg5ognxYwm +1hcOIggYtDEfVZV0RSRybJKezHELkAI+CG7nqOGsCOzb/1MAs9yoHHzicVb3+N9+ +K8JfP2jmqa467kcrZZ0XEwyL3sVs+eS8WJZ0zipBtgx5BIG0QKl9GH30bjKlu3PV +9ri/819sqg67JAuGUikNge6T9QKBgQDg2BaLum0kMOdL6/70xz4XpOrPBxOmxe66 +aTXJrjBDmYeHF0CYDFgO9xJZDElZRem0HhbV+F+ieHPJfh+YPa3S0To45dR1e3Yr +YGH7y/2SQ22nBkP/ydMmo8pJqlB8PUKrBSmlrEx2f0fcZquAjuNpPIP7x4CFFZga +sZlrFUQ0fwKBgQCR0eoEAqf8Id+WBdkbpSfHHf5IpUk7Zdkztw+ktPdN9ZHp32t+ +NBaI6v0lqBZJEg5ihSZESjJGxQp/mhQCV1pjUw4bqRhKxbt1PFxdUcPj8rgZSu8m +i/H9tuiWQkDjgLwFT+Nxge+KRRWIfvamrvrXDJI0LG3dU+iiy1Nyt0Y6lQKBgQDU +NyAQgcTBg+bLIdNh9SwF5QI6pNNHdUn9Z4/86wtiwmXIe4nb+MqkVU5b/dy9Bd+u +wTeMfQDGuCmQ5Bmt94k4kYICceo1eHHwPug8YCzVAA9etes4YaWJss4a+UU9/hQO +lrDYTeddcITC4aS9kh/SE+v+mC4VbmxBxZ6oE0pswQKBgFrmiAIRsqAu/WCs2sd8 +d68N1EhQLiDG4B98hIXbkHZeDUTIt8Yt5UFk4xvnETa2huVgZqeLahkidMQkW5Wc +RnCrDz6o1Iksj1T9ypUXRJhXtMwChJLFmmWmgTbLvP7E6n7MblmMPGFSYpCTmpfA +PYDSBldAZ1hkeMBig4iVAWWz +-----END PRIVATE KEY-----