Dustin C. Hatch
e4766e54ac
When HAProxy binds to the IPv6 socket, it can handle both IPv6 and IPv4 clients. IPv4 clients are handled as IPv4-mapped IPv6 addresses, which some backends (i.e. Apache) cannot support. To avoid this, we configure HAProxy to bind to the IPv4 and IPv6 sockets separately, so that IPv4 addresses are handled as IPv4 addresses.
43 lines
1.3 KiB
Django/Jinja
43 lines
1.3 KiB
Django/Jinja
{% macro acls() %}
|
|
acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
|
|
acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
|
|
acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
|
|
{% endmacro %}
|
|
|
|
frontend main
|
|
bind :::80
|
|
|
|
{{ acls() | indent(4) }}
|
|
tcp-request connection reject if blocklist !allowlist
|
|
|
|
{% for site in dch_proxy_sites %}
|
|
use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
|
|
{% endfor %}
|
|
use_backend kubernetes if internal_net
|
|
|
|
frontend main-tls
|
|
bind *:443,:::443 v6only
|
|
mode tcp
|
|
option tcplog
|
|
|
|
{{ acls() | indent(4) }}
|
|
tcp-request connection reject if blocklist !allowlist
|
|
tcp-request inspect-delay 5s
|
|
tcp-request content accept if { req.ssl_hello_type 1 }
|
|
|
|
{% for site in dch_proxy_sites %}
|
|
use_backend {{ site.backend }}-tls if { req.ssl_sni -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
|
|
{% endfor %}
|
|
use_backend kubernetes-tls if internal_net
|
|
|
|
{% for name, backend in dch_proxy_backends.items() %}
|
|
|
|
backend {{ name }}
|
|
{% if backend.mode|d %}
|
|
mode {{ backend.mode }}
|
|
{% endif %}
|
|
{% for server in backend.servers %}
|
|
server {{ server.name }} {{ server.host }} {{ server.options }}
|
|
{% endfor %}
|
|
{% endfor %}
|