I have an haproxy(mode http) like this:
# report subdomain
acl report hdr_dom(host) -i report.sample.com
use_backend app_report if report
In Cloudflare DNS, I point A record of ‘report’ subdomain to my IP. I was working without using Cloudflare, but now i got the following error:
# This site can’t be reached report.sample.com took too long to respond.
I am not a haproxy guru but the below works for me
Special here is the SSL cobfiguration for ‘vault’. If you want ti use SSL with haproxy you need to tell him ‘forward’ the certificate. It’s not a perfect config but I only need haproxy to save public IPs
global
daemon
maxconn 2560
log /dev/log local0 debug
defaults
option httplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http_in
mode tcp
bind *:80
bind *:443
tcp-request inspect-delay 5s
acl sslv3 req.ssl_ver 3
tcp-request content reject if sslv3
tcp-request content accept if { req_ssl_hello_type 1 }
acl pihole hdr(host) -i pihole.xxxxx.de
acl vault req_ssl_sni -i vault.xxxxx.de
use_backend pihole if pihole
use_backend vault_ssl if vault
###################################
# pihole #
###################################
backend pihole
mode tcp
server pihole 172.30.0.150
###################################
###################################
###################################
# vault #
###################################
backend vault_ssl
mode tcp
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello req_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server vault 172.30.0.153:443 check
This config is for testing purposes. Especially the SSL configuration could be incomplete. Vault ist running in a locked down zone.