@Hujino wrote:
Hello,
I just bought a domain for my personal blog.
I point my domain to my firewall that hosts my haproxy.
However, my domain can’t reach my backend, it’s running in a loop.
Here is my haproxy configuration :
global log 127.0.0.1 local0 debug log /dev/log local0 notice maxconn 1024 chroot /var/haproxy uid 604 gid 604 daemon stats socket /var/run/haproxy.sock mode 666 level admin pidfile /var/run/haproxy.pid ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets tune.ssl.default-dh-param 2048 tune.maxrewrite 16384 tune.bufsize 65535 defaults log global mode http option redispatch option forwardfor retries 3 maxconn 2000 timeout server 60s timeout connect 5s timeout client 10s log-format "%ci [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" frontend http-s-domain bind *:80 bind *:443 ssl crt /etc/haproxy/ssl/storage.domain.com.haproxy.pem crt /etc/haproxy/ssl/another.com.haproxy.pem crt-list /etc/haproxy/ssl/client_crt no-sslv3 mode http option httplog clf option forwardfor option http-keep-alive capture request header Host len 64 capture request header Referer len 128 capture request header User-Agent len 128 capture request header X-Hit-Front len 128 acl letsencrypt-acl path_beg /.well-known/acme-challenge/ acl storage-domain hdr(host) -i storage.domain.com ################### ### ACL CLIENTS ### ################### acl another-blog hdr(host) -i another.com # HTTP->HTTPS http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto http unless { ssl_fc } #www to non-www #catch all domains that begin with 'www.' acl host_www hdr_beg(host) -i www. #remove 'www.' part from host name reqirep ^Host:\ www.(.*)$ Host:\ \1 if host_www #now hostname does not contain 'www.' so we can #redirect to the same url redirect code 301 prefix / if host_www use_backend letsencrypt-backend if letsencrypt-acl use_backend nextcloud-storage-domain if storage-domain use_backend another-blog-prod if another-blog backend nextcloud-storage-domain http-response set-header Referrer-Policy no-referrer-when-downgrade http-response set-header X-Content-Type-Options: nosniff http-response set-header X-XSS-Protection: 1;mode=block http-response set-header X-Frame-Options: SAMEORIGIN http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload default-server inter 4s timeout server 2h http-check expect status 200 server ncd01 X.X.X.X:8080 cookie A check port 8080 fall 5 rise 3 backend another-blog-prod mode http default-server inter 4s timeout server 2h http-check expect status 200 server web01 X.X.X.X:443 cookie A check port 443 fall 5 rise 3 backend letsencrypt-backend server letsencrypt 127.0.0.1:1375 checkroot@haproxy:~# curl -ILk https://X.X.X.X HTTP/1.1 200 OK Etag: 22164-46b9-5e58d731 Content-Type: text/html; charset=utf-8 Content-Length: 18105 Last-Modified: Fri, 28 Feb 2020 09:02:41 GMT Cache-Control: private, max-age=0, proxy-revalidate, no-store, no-cache, must-revalidate Server: WEBrick/1.4.2 (Ruby/2.5.5/2019-03-15) OpenSSL/1.1.1d Date: Fri, 28 Feb 2020 09:15:37 GMT Connection: Keep-AliveIs it possible to get your opinion on it?
Posts: 1
Participants: 1