| Willy Tarreau | 655e26a | 2008-07-15 18:58:05 +0200 | [diff] [blame] | 1 | # This is a test configuration. It listens on port 8443, waits for an incoming |
| 2 | # connection, and applies the following rules : |
| 3 | # - if the address is in the white list, then accept it and forward the |
| 4 | # connection to the server (local port 443) |
| 5 | # - if the address is in the black list, then immediately drop it |
| 6 | # - otherwise, wait up to 3 seconds for valid SSL data to come in. If those |
| 7 | # data are identified as SSL, the connection is immediately accepted, and |
| 8 | # if they are definitely identified as non-SSL, the connection is rejected, |
| 9 | # which will happen upon timeout if they still don't match SSL. |
| 10 | |
| 11 | listen block-non-ssl |
| 12 | log 127.0.0.1:514 local0 |
| 13 | option tcplog |
| 14 | |
| 15 | mode tcp |
| 16 | bind :8443 |
| 17 | timeout client 6s |
| 18 | timeout server 6s |
| 19 | timeout connect 6s |
| 20 | |
| 21 | tcp-request inspect-delay 4s |
| 22 | |
| 23 | acl white_list src 127.0.0.2 |
| 24 | acl black_list src 127.0.0.3 |
| 25 | |
| 26 | # note: SSLv2 is not used anymore, SSLv3.1 is TLSv1. |
| 27 | acl obsolete_ssl req_ssl_ver lt 3 |
| 28 | acl correct_ssl req_ssl_ver 3.0-3.1 |
| 29 | acl invalid_ssl req_ssl_ver gt 3.1 |
| 30 | |
| 31 | tcp-request content accept if white_list |
| 32 | tcp-request content reject if black_list |
| 33 | tcp-request content reject if !correct_ssl |
| 34 | |
| 35 | balance roundrobin |
| 36 | server srv1 127.0.0.1:443 |
| 37 | |