ungleich-k8s/apps/haproxy/haproxy.cfg

global
    log stdout format raw local0

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

resolvers mydns
  parse-resolv-conf
  timeout retry   1s
  hold valid 30s
  hold nx 3s
  hold other 3s
  hold obsolete 0s
  accepted_payload_size 8192

defaults
    retries                 3
    log global
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s

frontend f_http
    bind ipv6@:80
    mode http

    http-request do-resolve(txn.myip,mydns,ipv6) hdr(Host),lower

    # if DNS resolving did not work
    # use_backend b_503 unless { var(txn.myip) -m found }

    default_backend      b_http

backend b_http
    mode http
    http-request deny unless { hdr(host) -i c2.k8s.ooo }
    http-request set-dst var(txn.myip)
    server http ipv6@*

# # HTTPs
frontend f_https
    bind ipv6@:443
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    tcp-request deny unless { req_ssl_sni -i k8s.ooo }
    tcp-request content do-resolve(txn.myip,mydns,ipv6) req_ssl_sni,lower

    default_backend b_https

backend b_https
    mode tcp

    tcp-request content set-dst var(txn.myip)
    server tcp_https ipv6@*

#    tcp-request connection deny unless { hdr(host) -i c2.k8s.ooo }
#    use_backend b_503 unless { var(txn.myip) -m found }
begin phasing in haproxy 2021-06-24 18:29:27 +00:00			`global`
			`log stdout format raw local0`

			`# turn on stats unix socket`
			`stats socket /var/lib/haproxy/stats`

			`resolvers mydns`
			`parse-resolv-conf`
			`timeout retry 1s`
			`hold valid 30s`
			`hold nx 3s`
			`hold other 3s`
			`hold obsolete 0s`
			`accepted_payload_size 8192`

			`defaults`
			`retries 3`
			`log global`
			`timeout http-request 10s`
			`timeout queue 1m`
			`timeout connect 10s`
			`timeout client 1m`
			`timeout server 1m`
			`timeout http-keep-alive 10s`
			`timeout check 10s`

++gitea updates 2021-06-27 17:23:49 +00:00			`frontend f_http`
			`bind ipv6@:80`
begin phasing in haproxy 2021-06-24 18:29:27 +00:00			`mode http`

			`http-request do-resolve(txn.myip,mydns,ipv6) hdr(Host),lower`

++gitea updates 2021-06-27 17:23:49 +00:00			`# if DNS resolving did not work`
			`# use_backend b_503 unless { var(txn.myip) -m found }`
begin phasing in haproxy 2021-06-24 18:29:27 +00:00
++gitea updates 2021-06-27 17:23:49 +00:00			`default_backend b_http`
begin phasing in haproxy 2021-06-24 18:29:27 +00:00
++gitea updates 2021-06-27 17:23:49 +00:00			`backend b_http`
begin phasing in haproxy 2021-06-24 18:29:27 +00:00			`mode http`
			`http-request deny unless { hdr(host) -i c2.k8s.ooo }`
			`http-request set-dst var(txn.myip)`
			`server http ipv6@*`

			`# # HTTPs`
			`frontend f_https`
++gitea updates 2021-06-27 17:23:49 +00:00			`bind ipv6@:443`
begin phasing in haproxy 2021-06-24 18:29:27 +00:00			`mode tcp`

			`tcp-request inspect-delay 5s`
			`tcp-request content accept if { req_ssl_hello_type 1 }`
haproxy updates 2021-07-16 14:27:28 +00:00			`tcp-request deny unless { req_ssl_sni -i k8s.ooo }`
begin phasing in haproxy 2021-06-24 18:29:27 +00:00			`tcp-request content do-resolve(txn.myip,mydns,ipv6) req_ssl_sni,lower`

			`default_backend b_https`

			`backend b_https`
			`mode tcp`

			`tcp-request content set-dst var(txn.myip)`
			`server tcp_https ipv6@*`

			`# tcp-request connection deny unless { hdr(host) -i c2.k8s.ooo }`
			`# use_backend b_503 unless { var(txn.myip) -m found }`