Create haproxy-moonfire-tls-client.conf #134
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| # | ||
| # This is an example file for providing moonfire-nvr TLS connection support using IPv6. | ||
| # Additionally, this example provides client certificate authentication. | ||
|
|
||
| # This example will allow users on the same /64 subnet to access moonfire-nvr | ||
| # without a client certificate. | ||
| # | ||
| # For this to work properly, the server requires a FQDN assigned to the IPv6 | ||
| # address for the server certificate. | ||
| # | ||
| # Please replace MYSERVERCERT, MYROOT_CA, MYSUBJECTDNCHECK as apropiate. | ||
| # And ensure rights are proper for accessing the certificaates. | ||
| # | ||
| # For my usage, I utilize a DDNS service and a Cert/Key management system. | ||
| # | ||
| # The IPv6 local check depends on the network prefix with a /64. Replace | ||
| # MYIPv6NetworkSubnet with the local network prefix. | ||
| # | ||
| # This is running on an RPI4/RaspberryPI OS running multiple cameras at a remote site. | ||
| # Source build without Docker. | ||
| # | ||
| # Note: I have modified the Systemd unit file to reflect binding to [::1]:8080 | ||
| # | ||
| # As with anything else, this may be a starting place. Improvements are a neccessity for life. | ||
| # | ||
|
|
||
|
|
||
|
|
||
| global | ||
| log /dev/log local0 | ||
| log /dev/log local1 notice | ||
| chroot /var/lib/haproxy | ||
| stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | ||
| stats timeout 30s | ||
| user haproxy | ||
| group haproxy | ||
| daemon | ||
|
|
||
| # Default SSL material locations | ||
| ca-base /etc/ssl/certs | ||
| crt-base /etc/ssl/private | ||
|
|
||
| # Default ciphers to use on SSL-enabled listening sockets. | ||
| # For more information, see ciphers(1SSL). This list is from: | ||
| # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | ||
| # An alternative list with additional directives can be obtained from | ||
| # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | ||
| ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | ||
| ssl-default-bind-options no-sslv3 | ||
|
|
||
| defaults | ||
| log global | ||
| mode http | ||
| option httplog | ||
| option dontlognull | ||
| timeout connect 5000 | ||
| timeout client 50000 | ||
| timeout server 50000 | ||
| errorfile 400 /etc/haproxy/errors/400.http | ||
| errorfile 403 /etc/haproxy/errors/403.http | ||
| errorfile 408 /etc/haproxy/errors/408.http | ||
| errorfile 500 /etc/haproxy/errors/500.http | ||
| errorfile 502 /etc/haproxy/errors/502.http | ||
| errorfile 503 /etc/haproxy/errors/503.http | ||
| errorfile 504 /etc/haproxy/errors/504.http | ||
|
|
||
|
|
||
| frontend https | ||
| bind :::443 v6only ssl crt *MYSERVERCERT*.pem verify optional ca-file *MYROOT_CA*.pem crt-ignore-err all ca-ignore-err all | ||
| http-request add-header X-Forwarded-Proto https | ||
|
There was a problem hiding this comment. It looks like you can do something similar here to pass the original IP address also: http://cbonte.github.io/haproxy-dconv/2.5/configuration.html#4-option%20forwardfor |
||
|
|
||
| # Testing for Client Certificate used | ||
| acl clientssl ssl_c_used | ||
| acl clientssl ssl_c_s_dn(OU) "*MYSUBJECTDNCHECK*" | ||
|
|
||
| # Testing for local IPv6 | ||
| acl LocalIPv6 src *MYIPv6NetworkSubnet*::/64 | ||
|
|
||
| # Standard Interface test | ||
| use_backend moonfire if LocalIPv6 | ||
| use_backend moonfire if clientssl | ||
|
|
||
| # Fail if not local and no client cert provided | ||
| http-request deny if !LocalIPv6 !clientssl | ||
|
|
||
|
|
||
| backend moonfire | ||
| http-request add-header X-Forwarded-Host %[req.hdr(Host)] | ||
|
There was a problem hiding this comment. Moonfire NVR doesn't pay any attention to There was a problem hiding this comment. This is me learning about how Moonfire works. This was my first attempt (borrowed from another situation) and it seemed to work. There was a problem hiding this comment. Yeah, that's totally cool. I think with just a couple changes it'll exactly match what Moonfire NVR expects, and we just need to decide between putting it in the repository or the wiki. I'm leaning toward putting it in the wiki, and moving the my nginx example config there too. |
||
| server ipv6 [::1]:8080 | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
case in point: necessity has one c. ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I live in a world where AI smell checking and flying cars already happened.