haproxy.cfg

global
    log /dev/log  local0
    log /dev/log  local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    tune.ssl.default-dh-param 2048
    tune.ssl.maxrecord 1370

defaults
    log     global
    mode    tcp
    option  tcplog
    option  httplog
    option  dontlognull

    retries 3
    option  redispatch
    option  clitcpka
    option  srvtcpka
    option  tcpka
    maxconn 2000
    timeout server  50000
    timeout client  50000
    timeout connect 5000

    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#stats auth admin:admin                                                                                                 #    stats uri /monitor

listen HAProxy-Statistics
    bind *:1936
    mode http
    option httplog
    option httpclose
    stats enable
    stats uri /
    stats refresh 10s
    stats show-node
    stats show-legends
    stats show-desc Haproxy Frontend
    stats auth admin:admin

frontend ssl_relay
    bind *:443
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    #Reject SSLv3 fast
    acl sslv3 req.ssl_ver 3
    tcp-request content reject if sslv3
    tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }

    #Find ssh
    acl open_proto_ssh payload(0,7) -m bin 5353482d322e30
    tcp-request content accept if open_proto_ssh

    #Find vpn
    acl sslvpn req.ssl_sni -i server

    use_backend https_one if  { req.ssl_sni -m end .ch }
    use_backend https_one if  { req.ssl_sni -m end .org }
    use_backend openvpn   if  sslvpn
    use_backend openssh   if  open_proto_ssh
    default_backend openvpn

backend https_one
    option          http-keep-alive
    option          forwardfor

    #Remove headers that expose security-sensitive information.
    rspidel ^Server:.*$
    rspidel ^X-Powered-By:.*$
    rspidel ^X-AspNet-Version:.*$

    #Redirect to nginx local
    server web 127.0.0.1:4443

backend openvpn
    mode tcp
    timeout server 2h
    timeout client 2h
    timeout connect 2h
    server openvpn-server 127.0.0.1:1194

backend openssh
    mode tcp
    option tcplog
    timeout server 2h
    server openssh-server 127.0.0.1:22