## For haproxy 2.2 COPY TO /etc/haproxy/haproxy.cfg ## Do https://unix.stackexchange.com/a/538901 to fix network-online.target on debian w/ /etc/intefaces ## certbot setup: ## - https://certbot.eff.org/lets-encrypt/debianbuster-haproxy ## - Add "0 0 1 * * systemctl stop haproxy && certbot renew && systemctl start haproxy && cat /etc/letsencrypt/live/seaturtle.pw/{cert,privkey}.pem > /etc/letsencrypt/live/seaturtle.pw/haproxy_cert.pem" to root crontab ## - (Default systemd timer does not have option to stop haproxy before running) ## Ensure microk8s only exposes nodeport on 127.0.0.1: ## - Edit /var/snap/microk8s/current/args/kube-proxy, adding "--nodeport-addresses=127.0.0.1/8" defaults log global mode tcp option dontlognull retries 3 maxconn 4000 timeout connect 5000 timeout client 50000 timeout server 50000 frontend http-in mode http bind :::80 redirect scheme https frontend https-in mode http option forwardfor bind :::443 ssl crt /etc/letsencrypt/live/seaturtle.pw/haproxy_cert.pem ssl-min-ver TLSv1.2 acl server1 hdr(host) -i airsonic.seaturtle.pw acl server1 hdr(host) -i git.seaturtle.pw acl server1 hdr(host) -i nc.seaturtle.pw acl server1 hdr(host) -i paul.walko.org acl server1 hdr(host) -i plex.seaturtle.pw acl server1 hdr(host) -i seaturtle.pw use_backend server1 if server1 backend server1 mode http option forwardfor server server1 127.0.0.1:30080 listen proxy37122 mode tcp bind :::37122 server ipv4server30122 127.0.0.1:30122 listen proxy25565 mode tcp bind :::25565 server ipv4server30565 127.0.0.1:30565