Jake Howard
29c9e14f62
This is technically _slightly_ less secure, but means it logs to journald properly, so can be picked up by fail2ban in future
46 lines
890 B
INI
46 lines
890 B
INI
global
|
|
log /dev/log local0
|
|
log /dev/log local1 notice
|
|
pidfile /run/haproxy.pid
|
|
stats timeout 30s
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
maxconn 10000
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
|
|
listen https
|
|
bind *:443
|
|
mode tcp
|
|
timeout http-request 10m
|
|
timeout connect 10m
|
|
timeout client 10m
|
|
timeout server 10m
|
|
server default {{ wireguard.clients.intersect.ip }}:443 send-proxy
|
|
|
|
listen http
|
|
bind *:80
|
|
stats enable
|
|
stats show-node
|
|
stats uri /haproxy
|
|
stats auth stats:{{ haproxy.stats_pass }}
|
|
timeout http-request 10m
|
|
timeout connect 10m
|
|
timeout client 10m
|
|
timeout server 10m
|
|
server default {{ wireguard.clients.intersect.ip }}:80 check
|
|
|
|
{% for port in haproxy.exposed_ports %}
|
|
|
|
listen expose_{{ port }}
|
|
bind *:{{ port }}
|
|
mode tcp
|
|
server default {{ wireguard.clients.intersect.ip }}:{{ port }}
|
|
|
|
{% endfor %}
|