From 0fd7fc4e7d37a9007ab6f8182732aebec0fcb3db Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Mon, 15 Mar 2021 11:52:51 +0200
Subject: haproxy works

---
 group_vars/apt.yml                                 |   4 -
 group_vars/ickhost.yml                             |  12 +--
 ick-cluster.yml                                    |   3 +-
 roles/haproxy-for-ick/README                       |   1 +
 roles/haproxy-for-ick/defaults/main.yml            |  14 +++
 roles/haproxy-for-ick/files/haproxy.crt            |  21 ++++
 roles/haproxy-for-ick/files/haproxy.key            |  28 +++++
 roles/haproxy-for-ick/files/haproxy.pem            |  49 +++++++++
 roles/haproxy-for-ick/subplot.md                   |   5 +
 roles/haproxy-for-ick/tasks/main.yml               | 117 +++++++++++++++++++++
 .../haproxy-for-ick/templates/haproxy.cfg.preamble |  37 +++++++
 11 files changed, 277 insertions(+), 14 deletions(-)
 create mode 100644 roles/haproxy-for-ick/README
 create mode 100644 roles/haproxy-for-ick/defaults/main.yml
 create mode 100644 roles/haproxy-for-ick/files/haproxy.crt
 create mode 100644 roles/haproxy-for-ick/files/haproxy.key
 create mode 100644 roles/haproxy-for-ick/files/haproxy.pem
 create mode 100644 roles/haproxy-for-ick/subplot.md
 create mode 100644 roles/haproxy-for-ick/tasks/main.yml
 create mode 100644 roles/haproxy-for-ick/templates/haproxy.cfg.preamble

diff --git a/group_vars/apt.yml b/group_vars/apt.yml
index 39c33c0..e793ee4 100644
--- a/group_vars/apt.yml
+++ b/group_vars/apt.yml
@@ -5,10 +5,6 @@ apt_signing_key_pub: FIXME
 apt_signing_key_fingerprint: FIXME
 apt_admin_email: FIXME
 apt_distributions:
-  - codename: stretch
-    description: Release packages for stretch
-  - codename: stretch-ci
-    description: CI builds for stretch
   - codename: unstable
     description: Release packages for unstable
   - codename: unstable-ci
diff --git a/group_vars/ickhost.yml b/group_vars/ickhost.yml
index 66559d9..094dfd5 100644
--- a/group_vars/ickhost.yml
+++ b/group_vars/ickhost.yml
@@ -1,17 +1,12 @@
 qvisqve_token_public_key: FIXME
 tls_certificate: FIXME
 
-debian_codename: stretch
-debian_mirror: deb.debian.org
-debian_mirror_src: deb.debian.org
-
 ci_prefix: ""
 
 sources_lists:
-  - repo: "deb http://deb.debian.org/debian stretch-backports main"
-  - repo: "deb http://code.liw.fi/debian stretch main ickhost"
-    signing_key: "{{ code_liw_fi_signing_key }}"
-  - repo: "deb http://ci-prod-controller.vm.liw.fi/debian stretch main ickhost"
+#  - repo: "deb http://code.liw.fi/debian unstable main ickhost"
+#    signing_key: "{{ code_liw_fi_signing_key }}"
+  - repo: "deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main ickhost"
     signing_key: "{{ ci_prod_apt_signing_key }}"
 
 controller_port: 3333
@@ -20,6 +15,7 @@ qvisqve_port: 10000
 notify_port: 6666
 ickweb_port: 10001
 apache_port: 8080
+muck_port: 4444
 
 controller_url: "https://{{ controller_domain }}"
 artifact_store_url: "https://{{ artifact_store_domain }}"
diff --git a/ick-cluster.yml b/ick-cluster.yml
index 22fa365..06ea705 100644
--- a/ick-cluster.yml
+++ b/ick-cluster.yml
@@ -5,12 +5,11 @@
     - sane_debian_system
     - comfortable
     - apt_repository
-    # - haproxy
+    - haproxy-for-ick
     # - qvisqve
     # - ick-controller
     # - ick-artifact-store
     # - ick-notifier
-    # - ickweb
     # - muck
   vars:
     sane_debian_system_version: 1
diff --git a/roles/haproxy-for-ick/README b/roles/haproxy-for-ick/README
new file mode 100644
index 0000000..ed0360a
--- /dev/null
+++ b/roles/haproxy-for-ick/README
@@ -0,0 +1 @@
+Install haproxy and set up a Let's Encrypt TLS certificate for it.
diff --git a/roles/haproxy-for-ick/defaults/main.yml b/roles/haproxy-for-ick/defaults/main.yml
new file mode 100644
index 0000000..12e2906
--- /dev/null
+++ b/roles/haproxy-for-ick/defaults/main.yml
@@ -0,0 +1,14 @@
+# Set the domain haproxy serves, used for the TLS certificate.
+
+haproxy_domain: FIXME
+
+# List haproxy rules: a list of dicts like this:
+#
+#   name: foo
+#   path: /foo
+#   backends:
+#   - 127.0.0.1:8080
+#   - 127.0.0.1:8181
+
+haproxy_rules: []
+
diff --git a/roles/haproxy-for-ick/files/haproxy.crt b/roles/haproxy-for-ick/files/haproxy.crt
new file mode 100644
index 0000000..fbaf6ee
--- /dev/null
+++ b/roles/haproxy-for-ick/files/haproxy.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIUdxKP8RqYs3OcgUXeSgU8P3l88wMwDQYJKoZIhvcNAQEL
+BQAwQTETMBEGA1UEAwwKZG9tYWluLmNvbTEdMBsGA1UECgwUTXkgQ29tcGFueSBO
+YW1lIExURC4xCzAJBgNVBAYTAlVTMB4XDTIxMDMxNTA5NDcxMloXDTIyMDMxNTA5
+NDcxMlowQTETMBEGA1UEAwwKZG9tYWluLmNvbTEdMBsGA1UECgwUTXkgQ29tcGFu
+eSBOYW1lIExURC4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAwdItzZ33l2SKLcoV7bze9jVWcZOikW1OHyjho7LPiFGbjq/Tkzz+
+OrtOfX83976SrZPudKqMmZm01eFzSTe+cR0Iq5toLAVjK69y1fn0TVPuV+nsLvHE
+jVJqxhDWLklcz9rf496Z58atD4ZigyRJ+OZBxvt8TlBw4LzdGyVN7nWstz6iJnO/
+6fU+8IJU6lsUdA7t7dWWPC/qjMRh+SUMbFhK/7dPfNn7Fa22Xh+dxH/iwod2tA1b
+lIGgl7lsyIVhO1nFgVFE23/1fQMCmVT3hDH0hrsk62u4AoSWUjVq/O2+92IkXhVg
+UpjSek8KBlHWpIrOBnOMYPfkLuKW0WOYhwIDAQABo1MwUTAdBgNVHQ4EFgQUwPjU
+LVoATZ7ZcjgW29v3IwyzXJUwHwYDVR0jBBgwFoAUwPjULVoATZ7ZcjgW29v3Iwyz
+XJUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKyTZRVtK4Cyg
+cKc6eVUKUk9v9Mr+hJ/WY6hEqX7Kun49EvNg/oK+pQGO73r4CZ6RY7Wud5Op49dn
+4szp6fYCEi3Ep7PjZBPb6ngKMXhxlcjq9O/r73N29L2neTgIAVukuYyCJA3A9qXu
+PuAYL3IqQbMU4BFkoFo0NmxoeR0zrgyZUtcnsM5zk8uVV1k3ElDnbcYyfC9Xoe3b
+fpqCjHe1LmZoStd92eXL2utyzkY8yCH8Hu1xp0cudg8u8PAz3yFVKdZn1bL2pSqP
+Srlw5KMPpkpecDfmrVFX767OkTx9VuqMFfwk4ayHvCIo3F+QEIf1rn0NVwkMMzrq
+mhBCibPHQA==
+-----END CERTIFICATE-----
diff --git a/roles/haproxy-for-ick/files/haproxy.key b/roles/haproxy-for-ick/files/haproxy.key
new file mode 100644
index 0000000..63c114c
--- /dev/null
+++ b/roles/haproxy-for-ick/files/haproxy.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDB0i3NnfeXZIot
+yhXtvN72NVZxk6KRbU4fKOGjss+IUZuOr9OTPP46u059fzf3vpKtk+50qoyZmbTV
+4XNJN75xHQirm2gsBWMrr3LV+fRNU+5X6ewu8cSNUmrGENYuSVzP2t/j3pnnxq0P
+hmKDJEn45kHG+3xOUHDgvN0bJU3uday3PqImc7/p9T7wglTqWxR0Du3t1ZY8L+qM
+xGH5JQxsWEr/t0982fsVrbZeH53Ef+LCh3a0DVuUgaCXuWzIhWE7WcWBUUTbf/V9
+AwKZVPeEMfSGuyTra7gChJZSNWr87b73YiReFWBSmNJ6TwoGUdakis4Gc4xg9+Qu
+4pbRY5iHAgMBAAECggEBAI4gCjhBwsHAFtc23dej7LcMK6RDRy1uwp90wejhAO+M
+MA50fif0zNPSb970v9yqYTJpTK0+NrWXkZRYqsog10RorufvoHbPSIZLNGEV1gAy
+MI9E2E0gOioLKoKs6/GrGCTO8ehNXfwootTEjU5u+NNMPSWlWeSvdeZGd7glJb1a
+Qb+801gtedryo73j4+Wntq7KUAuvZO1M88bcI9q8wYVn3RfneJGLZAm/8MF8fqrI
+sgtpGgCvPfuA2OvzgnWOEC9O4Cn0HlqGm5BFnoHiBUlo6XJ4yBL1/YdPzjmT1+rS
+hNTNSKEGTFQ+qzNQRdaF4WoubfXPJgrMKOeGnMYmgSECgYEA+4t41wZEcnFvIfd+
+5nID8/LqCqLgH0wSW6cavtzjSqhMCV3P7BFT3R5kAYIvl1z7P6Iu7SQX7ucJyoJt
+ONTOiaIPl9Sfuc1lYBcyGmBp9+zn8fDUabQZ8vu4kPnEi1oGc3TCl3NDNmi3tzgi
+P8PJH3IvLlUCjWnUXfm6s5VaSDECgYEAxUD7UZyAihAxGeKzVfUmHIMJAzObtOMp
+K7AcVZ/XYsYUq56sNUcDRv5rv6pUx3ry+Jpa13yoWusxa+7YU+MXV6Glw11Jo2Vl
+0QHwYrV4oyYso0MUwlLdck1FgBwRz3yUJGiGjyXL8J0ILCEUwPnb80/I/ekfv82o
+Ai3vWbrP9jcCgYB784A6RMZZtnfSvwhzOd+kyCB32UajZXLuYuuU/XerBD9jpiyc
+4PT4Us9oxuP4rELKWnrRNCXu/T4f4iE8DfEwdQFGCeojPokjzopL4RKWrtCksc2Z
+wLvAtjV+ivVEzbm8Dt8Mjimil/tfd3O5BBsJOdTx+cXmNS4GmNZdQ81XIQKBgBDu
+5SQ6ZSZ1AWIRfgexBdaIwStPMNy0a4JemfAXyqumCXw6INpqADQF/0Xy31hIi7cf
+uRCqmOFFM3bqiBObeROCwvIkff/S4oywt+whW/vVeRuC1LNh3bTEQWUgA79mGGmP
+t41uVzWOpXb0WA3A5Urb3Is/igQzKWsWemefi969AoGBAKlcbc1W+ihSGLWC05TV
+OATBzbknGpFz3F7U3ROGHLJLVzwJt8kfBA4RgoIZk4ZRcgwj61GmgFKwUJJG9z27
+SCBw2MAGOW97/pEyY814q6NBMmj943NfsLNtAB9dqfrqfE2KAA84rY0EQIR0+26K
+imPnDav0mfZdsnb/mvfiCu8X
+-----END PRIVATE KEY-----
diff --git a/roles/haproxy-for-ick/files/haproxy.pem b/roles/haproxy-for-ick/files/haproxy.pem
new file mode 100644
index 0000000..cf218da
--- /dev/null
+++ b/roles/haproxy-for-ick/files/haproxy.pem
@@ -0,0 +1,49 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDB0i3NnfeXZIot
+yhXtvN72NVZxk6KRbU4fKOGjss+IUZuOr9OTPP46u059fzf3vpKtk+50qoyZmbTV
+4XNJN75xHQirm2gsBWMrr3LV+fRNU+5X6ewu8cSNUmrGENYuSVzP2t/j3pnnxq0P
+hmKDJEn45kHG+3xOUHDgvN0bJU3uday3PqImc7/p9T7wglTqWxR0Du3t1ZY8L+qM
+xGH5JQxsWEr/t0982fsVrbZeH53Ef+LCh3a0DVuUgaCXuWzIhWE7WcWBUUTbf/V9
+AwKZVPeEMfSGuyTra7gChJZSNWr87b73YiReFWBSmNJ6TwoGUdakis4Gc4xg9+Qu
+4pbRY5iHAgMBAAECggEBAI4gCjhBwsHAFtc23dej7LcMK6RDRy1uwp90wejhAO+M
+MA50fif0zNPSb970v9yqYTJpTK0+NrWXkZRYqsog10RorufvoHbPSIZLNGEV1gAy
+MI9E2E0gOioLKoKs6/GrGCTO8ehNXfwootTEjU5u+NNMPSWlWeSvdeZGd7glJb1a
+Qb+801gtedryo73j4+Wntq7KUAuvZO1M88bcI9q8wYVn3RfneJGLZAm/8MF8fqrI
+sgtpGgCvPfuA2OvzgnWOEC9O4Cn0HlqGm5BFnoHiBUlo6XJ4yBL1/YdPzjmT1+rS
+hNTNSKEGTFQ+qzNQRdaF4WoubfXPJgrMKOeGnMYmgSECgYEA+4t41wZEcnFvIfd+
+5nID8/LqCqLgH0wSW6cavtzjSqhMCV3P7BFT3R5kAYIvl1z7P6Iu7SQX7ucJyoJt
+ONTOiaIPl9Sfuc1lYBcyGmBp9+zn8fDUabQZ8vu4kPnEi1oGc3TCl3NDNmi3tzgi
+P8PJH3IvLlUCjWnUXfm6s5VaSDECgYEAxUD7UZyAihAxGeKzVfUmHIMJAzObtOMp
+K7AcVZ/XYsYUq56sNUcDRv5rv6pUx3ry+Jpa13yoWusxa+7YU+MXV6Glw11Jo2Vl
+0QHwYrV4oyYso0MUwlLdck1FgBwRz3yUJGiGjyXL8J0ILCEUwPnb80/I/ekfv82o
+Ai3vWbrP9jcCgYB784A6RMZZtnfSvwhzOd+kyCB32UajZXLuYuuU/XerBD9jpiyc
+4PT4Us9oxuP4rELKWnrRNCXu/T4f4iE8DfEwdQFGCeojPokjzopL4RKWrtCksc2Z
+wLvAtjV+ivVEzbm8Dt8Mjimil/tfd3O5BBsJOdTx+cXmNS4GmNZdQ81XIQKBgBDu
+5SQ6ZSZ1AWIRfgexBdaIwStPMNy0a4JemfAXyqumCXw6INpqADQF/0Xy31hIi7cf
+uRCqmOFFM3bqiBObeROCwvIkff/S4oywt+whW/vVeRuC1LNh3bTEQWUgA79mGGmP
+t41uVzWOpXb0WA3A5Urb3Is/igQzKWsWemefi969AoGBAKlcbc1W+ihSGLWC05TV
+OATBzbknGpFz3F7U3ROGHLJLVzwJt8kfBA4RgoIZk4ZRcgwj61GmgFKwUJJG9z27
+SCBw2MAGOW97/pEyY814q6NBMmj943NfsLNtAB9dqfrqfE2KAA84rY0EQIR0+26K
+imPnDav0mfZdsnb/mvfiCu8X
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIUdxKP8RqYs3OcgUXeSgU8P3l88wMwDQYJKoZIhvcNAQEL
+BQAwQTETMBEGA1UEAwwKZG9tYWluLmNvbTEdMBsGA1UECgwUTXkgQ29tcGFueSBO
+YW1lIExURC4xCzAJBgNVBAYTAlVTMB4XDTIxMDMxNTA5NDcxMloXDTIyMDMxNTA5
+NDcxMlowQTETMBEGA1UEAwwKZG9tYWluLmNvbTEdMBsGA1UECgwUTXkgQ29tcGFu
+eSBOYW1lIExURC4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAwdItzZ33l2SKLcoV7bze9jVWcZOikW1OHyjho7LPiFGbjq/Tkzz+
+OrtOfX83976SrZPudKqMmZm01eFzSTe+cR0Iq5toLAVjK69y1fn0TVPuV+nsLvHE
+jVJqxhDWLklcz9rf496Z58atD4ZigyRJ+OZBxvt8TlBw4LzdGyVN7nWstz6iJnO/
+6fU+8IJU6lsUdA7t7dWWPC/qjMRh+SUMbFhK/7dPfNn7Fa22Xh+dxH/iwod2tA1b
+lIGgl7lsyIVhO1nFgVFE23/1fQMCmVT3hDH0hrsk62u4AoSWUjVq/O2+92IkXhVg
+UpjSek8KBlHWpIrOBnOMYPfkLuKW0WOYhwIDAQABo1MwUTAdBgNVHQ4EFgQUwPjU
+LVoATZ7ZcjgW29v3IwyzXJUwHwYDVR0jBBgwFoAUwPjULVoATZ7ZcjgW29v3Iwyz
+XJUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKyTZRVtK4Cyg
+cKc6eVUKUk9v9Mr+hJ/WY6hEqX7Kun49EvNg/oK+pQGO73r4CZ6RY7Wud5Op49dn
+4szp6fYCEi3Ep7PjZBPb6ngKMXhxlcjq9O/r73N29L2neTgIAVukuYyCJA3A9qXu
+PuAYL3IqQbMU4BFkoFo0NmxoeR0zrgyZUtcnsM5zk8uVV1k3ElDnbcYyfC9Xoe3b
+fpqCjHe1LmZoStd92eXL2utyzkY8yCH8Hu1xp0cudg8u8PAz3yFVKdZn1bL2pSqP
+Srlw5KMPpkpecDfmrVFX767OkTx9VuqMFfwk4ayHvCIo3F+QEIf1rn0NVwkMMzrq
+mhBCibPHQA==
+-----END CERTIFICATE-----
diff --git a/roles/haproxy-for-ick/subplot.md b/roles/haproxy-for-ick/subplot.md
new file mode 100644
index 0000000..660cfd3
--- /dev/null
+++ b/roles/haproxy-for-ick/subplot.md
@@ -0,0 +1,5 @@
+# Role `haproxy` &ndash; set up a web proxy using haproxy
+
+This role sets up a host to be a web proxy using the haproxy
+software. However, as I don't plan on working on the role, I haven't
+made any acceptance criteria for it yet.
diff --git a/roles/haproxy-for-ick/tasks/main.yml b/roles/haproxy-for-ick/tasks/main.yml
new file mode 100644
index 0000000..ffce169
--- /dev/null
+++ b/roles/haproxy-for-ick/tasks/main.yml
@@ -0,0 +1,117 @@
+- name: "check haproxy_domain is set"
+  shell: |
+    if [ "{{ haproxy_domain }}" = "" ] || [ "{{ haproxy_domain }}" = "FIXME" ]
+    then
+        echo "ERROR: MUST set haproxy_domain" 1>&2
+        exit 1
+    fi
+
+# - name: "check letsencrypt_email is set"
+#   shell: |
+#     if [ "{{ letsencrypt_email }}" = "" ] || [ "{{ letsencrypt_email }}" = "FIXME" ]
+#     then
+#         echo "ERROR: MUST set letsencrypt_email" 1>&2
+#         exit 1
+#     fi
+
+- name: install haproxy
+  apt:
+    name: haproxy
+
+- name: "install haproxy TLS cert"
+  copy:
+    src: haproxy.pem
+    dest: /etc/ssl/haproxy.pem
+    mode: 0600
+
+# - name: "install certbot"
+#   apt:
+#     name: certbot
+
+# - name: "install daily cron job to create haproxy.pem"
+#   copy:
+#     content: |
+#       #!/bin/sh
+#       set -eu
+#       cd /etc/letsencrypt/live/haproxy
+#       cat fullchain.pem privkey.pem > /etc/ssl/haproxy.pem
+#       systemctl restart haproxy
+#     dest: /etc/cron.daily/haproxy.pem
+#     owner: root
+#     group: root
+#     mode: 0755
+
+# - name: "run certbot"
+#   shell: |
+#     set -eu
+#     certbot certonly \
+#             --standalone \
+#             --noninteractive \
+#             --email "{{ letsencrypt_email }}" \
+#             --agree-tos \
+#             --expand \
+#             --cert-name haproxy \
+#             --keep \
+#             --pre-hook "systemctl stop haproxy" \
+#             --post-hook "systemctl start haproxy" \
+#             -d "{{ haproxy_domain }}"
+#     /etc/cron.daily/haproxy.pem
+
+- name: "create config dirs"
+  file:
+    state: directory
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: 0755
+  with_items:
+    - /etc/haproxy
+
+- name: "drop haproxy frontends and backends lists"
+  file:
+    state: absent
+    path: "{{ item }}"
+  with_items:
+    - /etc/haproxy/frontends
+    - /etc/haproxy/backends
+
+- name: "create haproxy frontends list"
+  shell: |
+    (
+        echo ""
+        echo "    acl {{ item.name }} path_beg {{ item.path }}"
+        echo "    use_backend {{ item.name }} if {{ item.name }}"
+    ) >> /etc/haproxy/frontends
+  with_items:
+    - "{{ haproxy_rules }}"
+
+- name: "create haproxy backends list"
+  shell: |
+    (
+        echo ""
+        echo "backend {{ item.name }}"
+        i=0
+        {% for backend in item.backends %}
+        i="$(expr $i + 1)"
+        echo "    server {{ item.name }}_$i {{ backend }}"
+        {% endfor %}
+    ) >> /etc/haproxy/backends
+  with_items:
+    - "{{ haproxy_rules }}"
+
+- name: "copy haproxy preamble"
+  template:
+    src: haproxy.cfg.preamble
+    dest: /etc/haproxy
+
+- name: "assemble haproxy preamble"
+  shell: |
+    cd /etc/haproxy
+    cat haproxy.cfg.preamble frontends backends > haproxy.cfg
+    chmod 0755 haproxy.cfg
+
+- name: enable and start haproxy
+  service:
+    state: restarted
+    enabled: yes
+    name: haproxy
diff --git a/roles/haproxy-for-ick/templates/haproxy.cfg.preamble b/roles/haproxy-for-ick/templates/haproxy.cfg.preamble
new file mode 100644
index 0000000..e01bc4e
--- /dev/null
+++ b/roles/haproxy-for-ick/templates/haproxy.cfg.preamble
@@ -0,0 +1,37 @@
+global
+    log        127.0.0.1 local4
+    chroot     /var/lib/haproxy
+    stats      socket /run/haproxy/admin.sock mode 660 level admin
+    stats      timeout 30s
+    user       haproxy
+    group      haproxy
+    daemon
+
+    ca-base    /etc/ssl/certs
+    crt-base   /etc/ssl/private
+    tune.ssl.default-dh-param 2048
+    ssl-default-bind-options no-tls-tickets
+    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+defaults
+    log        global
+    mode       http
+    option     httplog
+    option     dontlognull
+    timeout    connect 5000
+    timeout    client 50000
+    timeout    server 50000
+    errorfile  400 /etc/haproxy/errors/400.http
+    errorfile  403 /etc/haproxy/errors/403.http
+    errorfile  408 /etc/haproxy/errors/408.http
+    errorfile  500 /etc/haproxy/errors/500.http
+    errorfile  502 /etc/haproxy/errors/502.http
+    errorfile  503 /etc/haproxy/errors/503.http
+    errorfile  504 /etc/haproxy/errors/504.http
+
+
+frontend http-in
+    bind *:80
+    bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem
+
+    rspadd Strict-Transport-Security:\ max-age=15768000
-- 
cgit v1.2.1