global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats timeout 30s user haproxy group haproxy daemon ssl-dh-param-file /etc/haproxy/dhparam4096.pem defaults log global # mode tcp mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 option http-server-close #### Main fron end #### frontend main_front bind *:80 bind *:443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 # http-request redirect scheme https unless { ssl_fc } redirect scheme https code 301 if !{ ssl_fc } #### Stats Page #### stats uri /haproxy?stats stats auth nick:sBbGmTah67npAPvehEmi5q9NwS5GA #### Set correct IP #### acl from_cf src -f /etc/haproxy/cloudflare_ips.lst acl cf_ip_hdr req.hdr(CF-Connecting-IP) -m found # http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr http-request set-header real-ip1 %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr #### WP admin to single server #### acl url_is_wp_admin path_beg /wp-admin /wp-login.php /manage /securein use_backend adminServerHTTP if url_is_wp_admin #### LE cert #### acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl #### Configure Backends #### default_backend webserversHTTP #### Main Backend #### backend webserversHTTP balance roundrobin server web01 10.108.0.2:80 check # server web02 10.108.0.5:80 check #### Admin server #### backend adminServerHTTP balance roundrobin server web01 10.108.0.2:80 check # server web02 10.108.0.5:80 check #### LE Backend #### backend letsencrypt-backend server letsencrypt 127.0.0.1:8080