3 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
8 #################################
9 # Default SSL material locations#
10 #################################
11 ca-base /etc/ssl/certs
12 crt-base /etc/ssl/private
14 # Default ciphers to use on SSL-enabled listening sockets.
15 # For more information, see ciphers(1SSL). This list is from:
16 # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
17 # An alternative list with additional directives can be obtained from
18 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
19 tune.ssl.default-dh-param 2048
26 # errorfile 400 /etc/haproxy/errors/400.http
27 # errorfile 403 /etc/haproxy/errors/403.http
28 # errorfile 408 /etc/haproxy/errors/408.http
29 # errorfile 500 /etc/haproxy/errors/500.http
30 # errorfile 502 /etc/haproxy/errors/502.http
31 # errorfile 503 /etc/haproxy/errors/503.http
32 # errorfile 504 /etc/haproxy/errors/504.http
34 option http-server-close
35 option forwardfor except 127.0.0.1
42 timeout http-keep-alive 30000
47 bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
48 # log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
49 log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
54 capture request header Host len 100
55 capture response header Host len 100
56 option log-separate-errors
58 http-request set-header X-Forwarded-Proto https if { ssl_fc }
59 http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
60 http-request set-header X-AAI-SSL %[ssl_fc]
61 http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
62 http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
63 http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
64 http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
65 http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
66 http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
67 http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
68 http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
69 http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
70 http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
71 http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
72 http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
73 reqadd X-Forwarded-Proto:\ https
74 reqadd X-Forwarded-Port:\ 8443
76 #######################
77 #ACLS FOR PORT 8446####
78 #######################
80 acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
81 acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
82 acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
83 acl is_named-query path_beg -i /aai/search/named-query
84 acl is_search-model path_beg -i /aai/search/model
85 use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
87 default_backend IST_Default_8447
90 #######################
91 #DEFAULT BACKEND 847###
92 #######################
94 backend IST_Default_8447
96 http-request set-header X-Forwarded-Port %[src_port]
97 http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
98 server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}:8447 port 8447 ssl verify none
100 #######################
101 # BACKEND 8446#########
102 #######################
106 http-request set-header X-Forwarded-Port %[src_port]
107 http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
108 server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}:8446 port 8446 ssl verify none
117 stats auth admin:admin
119 stats show-desc IST AAI APPLICATION NODES