| # This is a test configuration. It listens on port 8443, waits for an incoming |
| # connection, and applies the following rules : |
| # - if the address is in the white list, then accept it and forward the |
| # connection to the server (local port 443) |
| # - if the address is in the black list, then immediately drop it |
| # - otherwise, wait up to 3 seconds for valid SSL data to come in. If those |
| # data are identified as SSL, the connection is immediately accepted, and |
| # if they are definitely identified as non-SSL, the connection is rejected, |
| # which will happen upon timeout if they still don't match SSL. |
| |
| listen block-non-ssl |
| log 127.0.0.1:514 local0 |
| option tcplog |
| |
| mode tcp |
| bind :8443 |
| timeout client 6s |
| timeout server 6s |
| timeout connect 6s |
| |
| tcp-request inspect-delay 4s |
| |
| acl white_list src 127.0.0.2 |
| acl black_list src 127.0.0.3 |
| |
| # note: SSLv2 is not used anymore, SSLv3.1 is TLSv1. |
| acl obsolete_ssl req_ssl_ver lt 3 |
| acl correct_ssl req_ssl_ver 3.0-3.1 |
| acl invalid_ssl req_ssl_ver gt 3.1 |
| |
| tcp-request content accept if white_list |
| tcp-request content reject if black_list |
| tcp-request content reject if !correct_ssl |
| |
| balance roundrobin |
| server srv1 127.0.0.1:443 |
| |