-# Example configuration file for HAProxy 2.0, refer to the url below for
+# Example configuration file for HAProxy, refer to the url below for
# a full documentation and examples for configuration:
-# https://cbonte.github.io/haproxy-dconv/2.0/configuration.html
+# https://docs.haproxy.org/3.2/configuration.html
# Global parameters
#log /dev/log local0 info
# Specifiy the maximum number of allowed connections.
- maxconn 32000
+ maxconn 10000
# Raise the ulimit for the maximum allowed number of open socket
# descriptors per process. This is usually at least twice the
# number of allowed connections (maxconn * 2 + nb_servers + 1) .
- ulimit-n 65535
+ # By default, it is automatically computed, so it is recommended
+ # not to use this option.
+ #ulimit-n 65535
# Drop privileges (setuid, setgid), default is "root" on OpenWrt.
uid 0
# Enable debugging
#debug
- # Spawn given number of processes and distribute load among them,
- # used for multi-core environments or to circumvent per-process
- # limits like number of open file descriptors. Default is 1.
- #nbproc 2
+ # Spawn given number of threads and distribute load among them,
+ # used for multi-core environments.
+ # On some platforms supporting CPU affinity, the default
+ # "nbthread" value is automatically set to the number of CPUs
+ # the process is bound to upon startup. The default value is
+ # reported in the output of "haproxy -vv".
+ #nbthread 2
+
+ # Default SSL material locations
+ ca-base /etc/ssl/certs
# SSL/TLS configuration. You can use the Mozilla SSL Config
# Generator. See: https://ssl-config.mozilla.org/#server=haproxy
+ # intermediate configuration
+ ssl-default-bind-curves X25519:prime256v1:secp384r1
+ ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+ ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+ ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+ ssl-default-server-curves X25519:prime256v1:secp384r1
+ ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+ ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+ ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+crt-store acme-certs
+ crt-base /etc/ssl/acme
+ key-base /etc/ssl/acme
+ # load crt "domain1.fullchain.crt" key "domain1.key" alias "domain1"
+ # load crt "domain2.fullchain.crt" key "domain2.key" alias "domain2"
+
# Default parameters
defaults
# Default timeouts
- timeout connect 5000ms
- timeout client 50000ms
- timeout server 50000ms
+ timeout connect 5s
+ timeout client 50s
+ timeout server 50s
+ timeout check 5s
# Example HTTP proxy listener
listen my_http_proxy
- # Bind to port 81 and 444 on all interfaces (0.0.0.0)
- bind :81,:444
+ # Disable this instance without commenting out the section.
+ disabled
+
+ # Bind to port 8080 on all interfaces (0.0.0.0)
+ bind :8080
+ # bind :8443 ssl alpn h2,http/1.1 default-crt @acme-certs/domain1
# We're proxying HTTP here...
mode http
git.99rst.org / openwrt-packages.git / commitdiff