-
Notifications
You must be signed in to change notification settings - Fork 338
TLS
xmrig edited this page Dec 12, 2019
·
5 revisions
Latest version of this page https://xmrig.com/docs/proxy/tls
XMRig-proxy does not natively support SSL/TLS for incoming connections, but you can put the proxy behind haproxy.
Sample /etc/haproxy/haproxy.cfg. This config gets A rating on ssllabs.com test.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 400000
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
option dontlognull
timeout connect 5000
frontend xmrig
bind 0.0.0.0:443 name https ssl crt /etc/haproxy/certs/donate.ssl.xmrig.com.pem
mode tcp
option tcplog
default_backend xmrig_backend
timeout client 10m
frontend proxy
bind 0.0.0.0:8443 name https ssl crt /etc/haproxy/certs/donate.ssl.xmrig.com.pem
mode tcp
option tcplog
default_backend proxy_backend
timeout client 10m
backend xmrig_backend
mode tcp
server proxy 127.0.0.1:3333 check
timeout connect 5s
timeout server 10m
backend proxy_backend
mode tcp
server proxy 127.0.0.1:5555 check
timeout connect 5s
timeout server 10m