global
log /dev/log local0
log /dev/log local1 notice
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend http-frontend
bind *:80
redirect scheme https if !{ ssl_fc }
frontend https-frontend
bind *:443
mode http
option httplog
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr(Upgrade) -i websocket
use_backend multiportal_console if is_websocket
default_backend multiportal_production
frontend stats
mode http
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend multiportal_production
mode http
balance roundrobin
cookie SERVERID insert indirect nocache #enables session persistence with cookies, ensuring clients are routed to the same backend server while avoiding issues with caching proxies or unnecessary cookie overwrites
server lab-pve-30 192.168.112.130:443 cookie s1 check #<~change the hostname and ip address here
server lab-pve-31 192.168.112.131:443 cookie s2 check #<~change the hostname and ip address here
server lab-pve-32 192.168.112.132:443 cookie s3 check #<~change the hostname and ip address here
backend multiportal_console
mode http
option http-server-close
balance roundrobin
timeout tunnel 1h
http-request set-header X-Forwarded-For %[src]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server lab-pve-30 192.168.112.130:443 cookie s1 check #<~change the hostname and ip address here
server lab-pve-31 192.168.112.131:443 cookie s2 check #<~change the hostname and ip address here
server lab-pve-32 192.168.112.132:443 cookie s3 check #<~change the hostname and ip address here