global ulimit-n 51200 tune.ssl.default-dh-param 4096 log /dev/log local2 debug user haproxy group haproxy lua-load /etc/haproxy/acme-http01-webroot.lua ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 #no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-GCM-SHA256:!DHE-RSA-AES128-GCM-SHA256:!DHE-DSS-AES128-GCM-SHA256:!ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-DSS-AES128-SHA256:!AES128-GCM-SHA256:!AES128-SHA256:!AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 #no-tls-tickets ssl-default-server-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!ECDHE-RSA-AES128-GCM-SHA256:!ECDHE-ECDSA-AES128-GCM-SHA256:!DHE-RSA-AES128-GCM-SHA256:!DHE-DSS-AES128-GCM-SHA256:!ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-DSS-AES128-SHA256:!AES128-GCM-SHA256:!AES128-SHA256:!AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA # openssl dhparam -out /etc/haproxy/certs/dhparams.pem 4096 ssl-dh-param-file /etc/haproxy/dhparams.pem defaults timeout connect 20s timeout client 50s timeout server 50s timeout tunnel 1h log global option dontlognull frontend ssl mode tcp # option tcplog bind 0.0.0.0:443 tfo tcp-request inspect-delay 2s # "SSH-2.0" acl is_ssh payload(0,7) -m bin 5353482d322e30 # Socks 5 acl is_socks5_bin payload(0,1) -m bin 05 acl is_socks5_len req_len le 5 # SSL / TLS acl is_ssl req_ssl_ver 1:4 tcp-request content accept if is_ssl use_backend main-ssl if is_ssl use_backend ssh if !is_ssl is_ssh use_backend socks if is_socks5_bin is_socks5_len default_backend shadowsocks frontend main mode tcp # option tcplog bind 127.0.0.1:443 tfo ssl ecdhe secp384r1 crt /etc/haproxy/certs/ npn h2,http/1.1 alpn h2,http/1.1 accept-proxy tcp-request inspect-delay 2s tcp-request content accept if HTTP #option forwardfor # "SSH-2.0" acl is_ssh payload(0,7) -m bin 5353482d322e30 use_backend ssh if is_ssh || !HTTP use_backend webserver-http2 if { ssl_fc_alpn -i h2 } default_backend webserver frontend http bind 0.0.0.0:80 tfo reqadd X-Forwarded-Proto:\ http default_backend webserver backend main-ssl mode tcp # option tcplog # Connect to frontend main server main-ssl 127.0.0.1:443 send-proxy backend shadowsocks mode tcp # option tcplog server shadowsocks-localhost 127.0.0.1:7688 maxconn 20480 timeout server 2h backend ssh mode tcp # option tcplog # source 0.0.0.0 usesrc clientip server ssh 127.0.0.1:22 timeout server 2h backend socks mode tcp option tcplog server socks 127.0.0.1:1080 timeout server 2h backend webserver mode http # option httplog option forwardfor # Support for https://github.com/ietf-wg-acme/acme/ challenge protocol acl url_acme_http01 path_beg /.well-known/acme-challenge/ http-request use-service lua.acme-http01 if url_acme_http01 # HSTS header http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" # Public Key Pinning http-response set-header Public-Key-Pins "pin-sha256=\"xxxxxxx=\"; max-age=2592000; includeSubDomains" redirect scheme https code 301 if !{ ssl_fc } server webserver-localhost 127.0.0.1:81 send-proxy backend webserver-http2 mode tcp server webserver-localhost 127.0.0.1:82 check send-proxy