forked from thomasdarimont/keycloak-project-example
-
Notifications
You must be signed in to change notification settings - Fork 0
/
haproxy.cfg
105 lines (90 loc) · 4.03 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# See https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
#chroot /var/lib/haproxy
#pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
# stats socket /var/lib/haproxy/stats
# utilize system-wide crypto-policies
## Disable cipher config to workaround
## Proxy 'id.acme.test': unable to set SSL cipher list to 'PROFILE=SYSTEM' for bind '*:1443' at [/usr/local/etc/haproxy/haproxy.cfg:58]
# ssl-default-bind-ciphers PROFILE=SYSTEM
# ssl-default-server-ciphers PROFILE=SYSTEM
# modern configuration
# generated via https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1d&ocsp=false&guideline=5.6
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# Note that we left out no-tlsv12, since Keycloak currently uses tlsv12
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 2
# see https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#3.9-timeout%20server
timeout http-request 10s
timeout queue 1m
timeout connect 2s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 3s
maxconn 3000
frontend id.acme.test
# Copy the haproxy.crt.pem file to /etc/haproxy
bind *:1443 ssl crt /etc/haproxy/haproxy.crt.pem
# ACLs based on typical "scanner noise"
acl is_bad_url path -m end -i .php
acl is_bad_url path -m end -i .asp
# acl is_bad_url url -m sub ../..
# If the request matches one of the known "bad stuff" rules, reject.
http-request deny if is_bad_url
use_backend keycloak
backend keycloak
mode http
stats enable
stats uri /haproxy?status
option httpchk
http-check send meth GET uri /auth/realms/master ver HTTP/1.1 hdr Host localhost
option forwardfor
http-request add-header X-Forwarded-Proto https
http-request add-header X-Forwarded-Port 1443
http-request redirect scheme https unless { ssl_fc }
cookie KC_ROUTE insert indirect nocache
balance roundrobin
# Configure transport encryption with https / tls
# http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#check
server kc1 acme-keycloak-1:8443/auth ssl verify none check cookie kc1
server kc2 acme-keycloak-2:8443/auth ssl verify none check cookie kc2
# Configure plain transport with http
# server kc1 acme-keycloak-1:8080/auth check cookie kc1
# server kc2 acme-keycloak-2:8080/auth check cookie kc2