From 70416407f5d205e677d69f1970c7748c7f851623 Mon Sep 17 00:00:00 2001
From: Massaki Archambault <marchambault@badjware.dev>
Date: Wed, 7 Jun 2023 14:22:35 -0400
Subject: [PATCH] better logging

---
 group_vars/all.yml                  | 12 ++++++++++++
 roles/haproxy/templates/haproxy.cfg | 26 +++++++++++++++++---------
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/group_vars/all.yml b/group_vars/all.yml
index ba7a694..4024991 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -31,6 +31,18 @@ haproxy:
             extra_param: backup
           - server: 192.168.20.24
             extra_param: backup
+      - frontend:
+          - hass.badjware.dev
+        backend:
+          - server: 192.168.20.20
+          - server: 192.168.20.21
+            extra_param: backup
+          - server: 192.168.20.22
+            extra_param: backup
+          - server: 192.168.20.23
+            extra_param: backup
+          - server: 192.168.20.24
+            extra_param: backup
       - frontend:
           - s3.badjware.dev
         backend:
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index a34dcbf..fdf84f0 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -7,10 +7,13 @@ global
     tune.ssl.default-dh-param 2048
 
 defaults
+    log global
+    log /dev/log local0 notice
+
     timeout connect 5s
     timeout client 120s
     timeout server 120s
-    log global
+    timeout tunnel 1h
 
     default-server init-addr last,none resolvers dns
 
@@ -35,24 +38,29 @@ frontend http_management
     acl prefixed-with-metrics path_beg -i /metrics
     use_backend haproxy_metrics if prefixed-with-metrics
 
+frontend http_in
+    bind *:80
+    mode http
+
+    # force https
+    redirect scheme https
+
 # https frontend
 frontend https_in
-    bind *:80
     # backend is assumed to be http, perform ssl termination here
     bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem alpn h2,http/1.1
 
     mode http
-    option forwardfor
-
-    # force https
-    http-request redirect scheme https unless { ssl_fc }
+    option httplog
 
     # set HSTS
     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains;"
 
+    # set X-Forward-For
+    option forwardfor
+
     # set X-Forwarded-Proto
-    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
-    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    http-request set-header X-Forwarded-Proto https
 
     # request is ssl
     # tcp-request inspect-delay 5s
@@ -84,7 +92,7 @@ backend https_{{ http_route.frontend[0]|replace('.','_') }}
     mode http
     balance roundrobin
 {% for dst in http_route.backend %}
-    server {{ dst.server }} {{ dst.server }}{% if ':' not in dst.server %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %} {{ dst.extra_param|default('') }}
+    server {{ dst.server }} {{ dst.server }}{% if ':' not in dst.server %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2,http/1.1{% endif %} {{ dst.extra_param|default('') }}
 
 {% endfor %}