-
Václav Bartoš authoredVáclav Bartoš authored
haproxy.cfg.j2 5.69 KiB
global
#quiet
log 127.0.0.1:9000 local0
nbproc {{ HAPROXY_PROCESSES }}
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-dh-param-file /usr/local/etc/haproxy/dhparam.pem
defaults
mode http
maxconn 5000
log global
timeout connect 5s
timeout client 20s
timeout server 20s
listen stats
bind 0.0.0.0:8888 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
stats enable
stats hide-version
stats uri /
stats realm HAProxy Statistics
stats auth haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats')}}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/stats_whitelist.lst }
listen nifiserv
bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
option httplog
{% for nifihost in groups['nificontainers'] %}
server {{nifihost}} {{nifihost}}:9443 ssl check verify none
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifi_whitelist.lst }
listen odfeserv
bind *:9200 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
option httplog
{% for odfehost in groups['odfeescontainers'] %}
server {{odfehost}} {{odfehost}}:9200 ssl check verify none
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/odfe_whitelist.lst }
listen keycloakserv
# Keycloak needs to receive and check client certificates, which is easier when it handles TLS itself - so we use TCP mode here
bind *:12443
mode tcp
maxconn 5000
fullconn 5000
balance source
option tcpka
option tcp-check
option tcplog
tcp-check connect port 8443
{% for keycloakhost in groups['keycloakcontainers'] %}
server {{keycloakhost}} {{keycloakhost}}:8443 check
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/keycloak_whitelist.lst }
listen thehiveserv
bind *:9000 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
option forwardfor
option httplog
{% for thehivehost in groups['thehive'] %}
server {{thehivehost}} {{thehivehost}}:9000 check verify none
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/thehive_whitelist.lst }
listen cortexserv
bind *:9001 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
option forwardfor
option httplog
{% for cortexhost in groups['cortex'] %}
server {{cortexhost}} {{cortexhost}}:9001 check verify none
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/cortex_whitelist.lst }
listen kibanaserv
bind *:5601 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
option forwardfor
option httplog
{% for kibanahost in groups['odfekibanacontainers'] %}
server {{kibanahost}} {{kibanahost}}:5601 ssl check verify none
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/kibana_whitelist.lst }
listen mispserv
bind *:6443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
option forwardfor
option httplog
{% for misphost in groups['mispcontainers'] %}
server {{misphost}} {{misphost}}:6443 ssl check verify none
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/misp_whitelist.lst }
listen user-mgmt-ui
bind *:5443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
option forwardfor
option httplog
server soctools_server {{ soctools_network_gw }}:8050
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/user-mgmt-ui_whitelist.lst }
{% for port in range(5000, 5020) %}
listen nifiservhttp{{port}}
bind *:{{port}}
mode http
maxconn 5000
fullconn 5000
balance source
option tcpka
option httplog
{% for nifihost in groups['nificontainers'] %}
server {{nifihost}} {{nifihost}}:{{port}} check
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifiports_whitelist.lst }
{% endfor %}
{% for port in range(6000, 6020) %}
listen nifiservtcp{{port}}
bind *:{{port}}
mode tcp
maxconn 5000
fullconn 5000
balance source
option tcpka
option tcp-check
option tcplog
tcp-check connect port {{port}}
{% for nifihost in groups['nificontainers'] %}
server {{nifihost}} {{nifihost}}:{{port}} check
{% endfor %}
tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/nifiports_whitelist.lst }
{% endfor %}