global
    log 127.0.0.1:514    local0
    log 127.0.0.1:514    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy_admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers AES128+ECDHE:AES256+ECDHE
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets


defaults
    log     global
    mode    http

    option  httplog
    option  dontlognull

    option  tcp-smart-connect
    option  tcp-smart-accept

    # use kernel splice system call to lower latency
    option  splice-auto

    option  forwardfor
    option  socket-stats

#    no option http-use-htx

    timeout http-request 20s
    timeout connect       5s
    timeout client       50s
    timeout server       50s

    timeout check 800

    errorfile 400 /etc/haproxy/errorfiles/400.http
    errorfile 403 /etc/haproxy/errorfiles/403.http
    errorfile 408 /etc/haproxy/errorfiles/408.http
    errorfile 500 /etc/haproxy/errorfiles/500.http
    errorfile 502 /etc/haproxy/errorfiles/502.http
    errorfile 503 /etc/haproxy/errorfiles/503.http
    errorfile 504 /etc/haproxy/errorfiles/504.http


frontend http
    bind *:80     name http_v4
    bind [::]:80  name http_v6
    bind *:443    name https_v4 ssl crt /etc/haproxy/certs/mail.0rpheus.net.pem crt /etc/haproxy/certs/ ecdhe secp384r1 alpn h2,http/1.1
    bind [::]:443 name https_v6 ssl crt /etc/haproxy/certs/mail.0rpheus.net.pem crt /etc/haproxy/certs/ ecdhe secp384r1 alpn h2,http/1.1

    compression algo gzip
    compression type text/html text/plain text/javascript application/javascript application/xml text/css

    # HSTS (31536000 seconds = 1 year)
    http-response set-header Strict-Transport-Security       max-age=31536000
    http-response set-header X-Content-Type-Options          nosniff

    # set protocoll headers to  https - works only if all https redirects happens in HAProxy
    http-request set-header  HTTP_X_FORWARDED_PROTO         https
    http-request set-header  X-Forwarded-Proto              https


    # force https for known domains
    acl hostname_has_backend hdr(Host),lower,map(/etc/haproxy/hostname2backend.map) -m found
    http-request redirect scheme https code 301                                if !{ ssl_fc } hostname_has_backend

    # Let's encrypt
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    http-request set-header Host certbot                                       if letsencrypt-acl
    use_backend bk_apache                                                      if letsencrypt-acl

    # stats backend
    acl stats-acl  path_beg /haproxy
    use_backend bk_stats                                                       if stats-acl

    # routing for known domains
    use_backend bk_%[hdr(Host),lower,map(/etc/haproxy/hostname2backend.map)]   if hostname_has_backend


{% for backend in haproxy_backends %}
backend bk_{{ backend }}
{% if haproxy_backends[backend]["httpchk"] is defined %}
        option httpchk {{ haproxy_backends[backend]["httpchk"] }}
{% endif %}

{% for server_def in haproxy_backends[backend]["server_defs"] %}
        server {{ server_def }}
{% endfor %}


{% endfor %}
backend bk_stats
    # statistics backend
    stats uri /
    stats enable
    stats show-node
    stats refresh 30s