jaw-sh · September 30, 2022 12:13
diff --git a/haproxy.conf b/haproxy.conf
 ##
 # zero trust haproxy ssl-over-tcp config
 # this config can be put down on any small VPS to transfer traffic over to a trusted service
 ##
 global
    log /dev/log    local0
    log /dev/log    local1 notice
    # change to www on FreeBSD
    user haproxy
    group haproxy
    daemon

    # max connections (I use 1024*cores)
    maxconn 1024

 defaults
    log     global
    mode    tcp
    timeout connect 5000
    timeout client  50000
    timeout server  50000

 # frontend to upgrade http traffic
 frontend http-in
    mode http
    bind :80
    
    # since http is insecure, haproxy can respond directly without any privilege
    # instruct client to use https
    http-request redirect scheme https

 # frontend to proxy https traffic
 frontend https-in
    bind *:443

    # inspect tcp traffic for ssl markers
    option socket-stats
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend stn

 # backend for https traffic
 backend stn
    # maximum SSL session ID length is 32 bytes
    stick-table type binary len 32 size 30k expire 30m
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default
    tcp-response content accept if serverhello
    stick on payload_lv(43,1) if clienthello

    # learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello
    option ssl-hello-chk

    # direct traffic to trusted servers
    balance roundrobin
    # `check` will test remote port and disable server if available
    # `weight 10` can balance roundrobin if you have assymetrically capable end points
    # `send-proxy-v2` is a protocol for sending the client ip to the downstream servers
    server s1 127.0.0.1:443 check send-proxy-v2 weight 10
	##
	# zero trust haproxy ssl-over-tcp config
	# this config can be put down on any small VPS to transfer traffic over to a trusted service
	##
	global
	log /dev/log local0
	log /dev/log local1 notice
	# change to www on FreeBSD
	user haproxy
	group haproxy
	daemon

	# max connections (I use 1024*cores)
	maxconn 1024

	defaults
	log global
	mode tcp
	timeout connect 5000
	timeout client 50000
	timeout server 50000

	# frontend to upgrade http traffic
	frontend http-in
	mode http
	bind :80

	# since http is insecure, haproxy can respond directly without any privilege
	# instruct client to use https
	http-request redirect scheme https

	# frontend to proxy https traffic
	frontend https-in
	bind *:443

	# inspect tcp traffic for ssl markers
	option socket-stats
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	default_backend stn

	# backend for https traffic
	backend stn
	# maximum SSL session ID length is 32 bytes
	stick-table type binary len 32 size 30k expire 30m
	acl clienthello req_ssl_hello_type 1
	acl serverhello rep_ssl_hello_type 2

	# use tcp content accepts to detects ssl client and server hello
	tcp-request inspect-delay 5s
	tcp-request content accept if clienthello

	# no timeout on response inspect delay by default
	tcp-response content accept if serverhello
	stick on payload_lv(43,1) if clienthello

	# learn on response if server hello.
	stick store-response payload_lv(43,1) if serverhello
	option ssl-hello-chk

	# direct traffic to trusted servers
	balance roundrobin
	# `check` will test remote port and disable server if available
	# `weight 10` can balance roundrobin if you have assymetrically capable end points
	# `send-proxy-v2` is a protocol for sending the client ip to the downstream servers
	server s1 127.0.0.1:443 check send-proxy-v2 weight 10