Skip to content
Snippets Groups Projects
haproxy.cfg.j2 5.69 KiB
global
  #quiet
  log 127.0.0.1:9000  local0
  nbproc {{ HAPROXY_PROCESSES }}
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-dh-param-file /usr/local/etc/haproxy/dhparam.pem

defaults
  mode http
  maxconn 5000
  log global
  timeout connect 5s
  timeout client  20s
  timeout server  20s

listen stats
        bind 0.0.0.0:8888 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
        stats enable
        stats hide-version
        stats uri     /
        stats realm   HAProxy Statistics
        stats auth    haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats')}}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/stats_whitelist.lst }

listen nifiserv
	bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
	mode http
	maxconn 5000
	fullconn 5000
	balance source
	option tcpka
        option httplog
{% for nifihost in groups['nificontainers'] %}
	server {{nifihost}} {{nifihost}}:9443 ssl check verify none
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifi_whitelist.lst }

listen odfeserv
        bind *:9200 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
        mode http
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option httplog
{% for odfehost in groups['odfeescontainers'] %}
     	server {{odfehost}} {{odfehost}}:9200 ssl check verify none
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/odfe_whitelist.lst }
	
listen keycloakserv
        # Keycloak needs to receive and check client certificates, which is easier when it handles TLS itself - so we use TCP mode here 
        bind *:12443
        mode tcp
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option tcp-check
        option tcplog
        tcp-check connect port 8443
{% for keycloakhost in groups['keycloakcontainers'] %}
	server {{keycloakhost}} {{keycloakhost}}:8443 check
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/keycloak_whitelist.lst }

listen thehiveserv
        bind *:9000 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
        mode http
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option forwardfor
        option httplog
{% for thehivehost in groups['thehive'] %}
	server {{thehivehost}} {{thehivehost}}:9000 check verify none
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/thehive_whitelist.lst }

listen cortexserv
        bind *:9001 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
        mode http
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option forwardfor
        option httplog
{% for cortexhost in groups['cortex'] %}
	server {{cortexhost}} {{cortexhost}}:9001 check verify none
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/cortex_whitelist.lst }

listen kibanaserv
        bind *:5601 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
        mode http
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option forwardfor
        option httplog
{% for kibanahost in groups['odfekibanacontainers'] %}
        server {{kibanahost}} {{kibanahost}}:5601 ssl check verify none
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/kibana_whitelist.lst }

listen mispserv
        bind *:6443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
        mode http
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option forwardfor
        option httplog
{% for misphost in groups['mispcontainers'] %}
        server {{misphost}} {{misphost}}:6443 ssl check verify none
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/misp_whitelist.lst }

listen user-mgmt-ui
        bind *:5443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
        mode http
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option forwardfor
        option httplog
        server soctools_server {{ soctools_network_gw }}:8050
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/user-mgmt-ui_whitelist.lst }


{% for port in range(5000, 5020) %}
listen nifiservhttp{{port}}
        bind *:{{port}}
        mode http
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option httplog
{% for nifihost in groups['nificontainers'] %}
        server {{nifihost}} {{nifihost}}:{{port}} check
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifiports_whitelist.lst }

{% endfor %}


{% for port in range(6000, 6020) %}
listen nifiservtcp{{port}}
        bind *:{{port}}
        mode tcp 
        maxconn 5000
        fullconn 5000
        balance source
        option tcpka
        option tcp-check
        option tcplog
        tcp-check connect port {{port}}
{% for nifihost in groups['nificontainers'] %}
        server {{nifihost}} {{nifihost}}:{{port}} check
{% endfor %}
	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifiports_whitelist.lst }

{% endfor %}