From db6345ce01f763dee43a251a110e11df93d0a34d Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Fri, 16 Jul 2021 16:27:28 +0200
Subject: [PATCH] haproxy updates

---
 apps/haproxy/haproxy-v2.cfg | 36 ++++++++++++++++++++++++++++++++++++
 apps/haproxy/haproxy.cfg    |  2 +-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 apps/haproxy/haproxy-v2.cfg

diff --git a/apps/haproxy/haproxy-v2.cfg b/apps/haproxy/haproxy-v2.cfg
new file mode 100644
index 0000000..bb245cb
--- /dev/null
+++ b/apps/haproxy/haproxy-v2.cfg
@@ -0,0 +1,36 @@
+global
+    log stdout format raw local0
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+resolvers mydns
+  parse-resolv-conf
+
+defaults
+    retries                 3
+    log global
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+
+frontend f_https
+    bind ipv6@:6443
+    mode tcp
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+    tcp-request content reject unless { req_ssl_sni -i k8s.ooo }
+    tcp-request content do-resolve(txn.myip,mydns,ipv6) req_ssl_sni,lower
+
+    default_backend b_https
+
+backend b_https
+    mode tcp
+
+    tcp-request content set-dst var(txn.myip)
+    server tcp_https ipv6@*
diff --git a/apps/haproxy/haproxy.cfg b/apps/haproxy/haproxy.cfg
index 619c2a4..ed05f7f 100644
--- a/apps/haproxy/haproxy.cfg
+++ b/apps/haproxy/haproxy.cfg
@@ -48,9 +48,9 @@ frontend f_https
 
     tcp-request inspect-delay 5s
     tcp-request content accept if { req_ssl_hello_type 1 }
+    tcp-request deny unless { req_ssl_sni -i k8s.ooo }
     tcp-request content do-resolve(txn.myip,mydns,ipv6) req_ssl_sni,lower
 
-
     default_backend b_https
 
 backend b_https