blob: a8da55c5589f99027b42ad1d5760ac6e9ad111c4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
global
log /dev/log local0
stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
#################################
# Default SSL material locations#
#################################
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
tune.ssl.default-dh-param 2048
ssl-default-bind-options force-tlsv12 no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
tune.ssl.maxrecord 1400
defaults
log global
mode http
option httplog
# option dontlognull
# errorfile 400 /etc/haproxy/errors/400.http
# errorfile 403 /etc/haproxy/errors/403.http
# errorfile 408 /etc/haproxy/errors/408.http
# errorfile 500 /etc/haproxy/errors/500.http
# errorfile 502 /etc/haproxy/errors/502.http
# errorfile 503 /etc/haproxy/errors/503.http
# errorfile 504 /etc/haproxy/errors/504.http
option http-server-close
option forwardfor except 127.0.0.1
retries 6
option redispatch
maxconn 50000
timeout connect 50000
timeout client 480000
timeout server 480000
timeout http-keep-alive 30000
frontend IST_8443
mode http
bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
option httplog
log global
option logasap
option forwardfor
capture request header Host len 100
capture response header Host len 100
option log-separate-errors
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
http-request set-header X-AAI-SSL %[ssl_fc]
http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Port:\ 8443
#######################
#ACLS FOR PORT 8446####
#######################
acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
acl is_named-query path_beg -i /aai/search/named-query
acl is_search-model path_beg -i /aai/search/model
use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
default_backend IST_Default_8447
#######################
#DEFAULT BACKEND 847###
#######################
backend IST_Default_8447
balance roundrobin
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
server aai-resources.api.simpledemo.onap.org aai-resources.api.simpledemo.onap.org:8447 port 8447 ssl verify none
#######################
# BACKEND 8446#########
#######################
backend IST_AAI_8446
balance roundrobin
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
server aai-traversal.api.simpledemo.onap.org aai-traversal.api.simpledemo.onap.org:8446 port 8446 ssl verify none
listen IST_AAI_STATS
mode http
bind *:8080
stats uri /stats
stats enable
stats refresh 30s
stats hide-version
stats auth admin:admin
stats show-legends
stats show-desc IST AAI APPLICATION NODES
stats admin if TRUE
|