3178e25e78
User-Frage: „Werden via haproxy die echten IPs durchgereicht?". Antwort: X-Forwarded-For ja (option forwardfor), aber Apps wie WordPress/Mailcow brauchen zusätzlich X-Forwarded-Proto=https um Redirect-Loops zu vermeiden, und X-Real-IP ist die bequeme single-value-Variante die viele Tools out-of-the-box lesen (ohne die XFF-Chain parsen zu müssen). Beide Frontends (public_https + mgmt_https) emittieren jetzt: http-request set-header X-Forwarded-Proto https http-request set-header X-Real-IP %[src] Was Backends sehen: X-Forwarded-For: <client-ip> (defaults: option forwardfor) X-Forwarded-Proto: https (NEW) X-Real-IP: <client-ip> (NEW, single value) PROXY-Protocol-Toggle pro Backend kommt nicht in diesem Release — der Operator hat „nur Header-Variante" gewählt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
117 lines
4.9 KiB
Smarty
117 lines
4.9 KiB
Smarty
# Generated by edgeguard-api — DO NOT EDIT.
|
|
# Source: internal/haproxy/haproxy.go (template: haproxy.cfg.tpl).
|
|
# Re-generate via `edgeguard-ctl render-config`.
|
|
|
|
global
|
|
log /dev/log local0 info
|
|
log /dev/log local1 notice
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
option forwardfor
|
|
timeout connect 5s
|
|
timeout client 60s
|
|
timeout server 60s
|
|
timeout http-request 10s
|
|
# timeout tunnel wird PER BACKEND aktiviert (websocket-Flag),
|
|
# damit nur WS-Workloads die lange Idle-Toleranz haben und normale
|
|
# HTTP-Backends saubere Connection-Hygiene behalten.
|
|
|
|
# ── Public :80 ─────────────────────────────────────────────────────────
|
|
# ACME-01 challenges proxy to edgeguard-api which serves the webroot.
|
|
# Everything else redirects to HTTPS.
|
|
frontend public_http
|
|
bind :80
|
|
|
|
acl is_acme path_beg /.well-known/acme-challenge/
|
|
|
|
# Redirect to HTTPS first (skipped for ACME paths) — must come
|
|
# before use_backend so HAProxy doesn't warn about ordering.
|
|
http-request redirect scheme https code 301 unless is_acme
|
|
|
|
use_backend api_backend if is_acme
|
|
|
|
# ── Public :443 (Customer-Backends only) ──────────────────────────────
|
|
# TLS termination. Reads certs from /etc/edgeguard/tls/ — postinst
|
|
# seeds a self-signed _default.pem so HAProxy starts before certbot
|
|
# has issued anything.
|
|
#
|
|
# WICHTIG: kein default_backend → unbekannte Hosts kriegen 503. Die
|
|
# Management-UI sitzt bewusst auf :3443 (siehe mgmt_https unten),
|
|
# damit ein versehentlich offengelassenes Wildcard-DNS nie auf das
|
|
# Admin-Panel fällt. mailgateway/enconf-Pattern.
|
|
frontend public_https
|
|
bind :443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
|
|
|
|
http-response set-header Strict-Transport-Security "max-age=31536000"
|
|
|
|
# Client-IP-Weiterleitung an Backends. `option forwardfor` (defaults)
|
|
# setzt X-Forwarded-For; wir ergänzen Proto + RealIP damit Apps
|
|
# erkennen können (a) dass der Client HTTPS sprach und (b) die
|
|
# echte Source-IP ohne XFF-Chain-Parsing brauchen.
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-request set-header X-Real-IP %[src]
|
|
|
|
{{- range $d := .Domains}}
|
|
{{- range $r := $d.Routes}}
|
|
use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} }
|
|
{{- end}}
|
|
{{- if $d.PrimaryBackendID}}
|
|
use_backend eg_backend_{{$d.PrimaryBackendID}} if { hdr(host) -i {{$d.Name}} }
|
|
{{- end}}
|
|
{{- end}}
|
|
|
|
# ── Mgmt :3443 (Admin-UI only) ────────────────────────────────────────
|
|
# Eigener Port für die Management-UI — gleicher Cert-Pool, aber kein
|
|
# Customer-Routing. Anti-Lockout-Regel im nft-Template lässt 3443
|
|
# immer durch. Erreichbar über jede Domain die auf die Box zeigt
|
|
# (Hostname egal — default_backend), inkl. der direkten IP.
|
|
frontend mgmt_https
|
|
bind :3443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
|
|
http-response set-header Strict-Transport-Security "max-age=31536000"
|
|
http-request set-header X-Forwarded-Proto https
|
|
http-request set-header X-Real-IP %[src]
|
|
default_backend api_backend
|
|
|
|
# ── Internal stats ─────────────────────────────────────────────────────
|
|
frontend internal_stats
|
|
bind 127.0.0.1:8404
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats admin if { src 127.0.0.1 }
|
|
|
|
# ── Backends ───────────────────────────────────────────────────────────
|
|
|
|
# edgeguard-api itself: management UI, REST API, ACME webroot.
|
|
# timeout tunnel 1h: /api/v1/firewall/log/live ist ein langlebiger
|
|
# WebSocket-Stream — ohne Tunnel-Override fällt er nach `timeout
|
|
# server 60s` ohne Events um.
|
|
backend api_backend
|
|
timeout tunnel 1h
|
|
server api1 127.0.0.1:9443 check
|
|
|
|
{{- range $b := .Backends}}
|
|
|
|
backend eg_backend_{{$b.ID}}
|
|
balance {{$b.LBAlgorithm}}
|
|
{{- if $b.WebSocket}}
|
|
timeout tunnel 1h
|
|
{{- end}}
|
|
{{- if $b.HealthCheckPath}}
|
|
option httpchk
|
|
http-check send meth GET uri {{$b.HealthCheckPath}}
|
|
{{- end}}
|
|
{{- range $s := $b.Servers}}
|
|
server {{$s.Name | safeID}} {{$s.Address}}:{{$s.Port}}{{if eq $b.Scheme "https"}} ssl verify none alpn h2,http/1.1{{end}}{{if $b.HealthCheckPath}} check inter 5s{{if eq $b.Scheme "https"}} check-alpn http/1.1{{end}}{{end}} weight {{$s.Weight}}{{if $s.Backup}} backup{{end}}
|
|
{{- end}}
|
|
{{- end}}
|