global
    daemon
    maxconn 1024
    log 127.0.0.1 local0
    stats timeout 30s

    tune.ssl.default-dh-param 2048

defaults
    log global
    log /dev/log local0 notice

    timeout connect 5s
    timeout client 120s
    timeout server 120s
    timeout tunnel 1h

    default-server init-addr last,none resolvers dns

resolvers dns
    parse-resolv-conf

## FRONTENDS ##

# haproxy stuff
frontend http_management
    bind *:8080
    mode http

    # redirects /status to haproxy monitor
    monitor-uri /status

    # redirects /stats to stats backend
    acl prefixed-with-stats path_beg -i /stats
    use_backend haproxy_stats if prefixed-with-stats

    # redirects /metrics to metrics backend
    acl prefixed-with-metrics path_beg -i /metrics
    use_backend haproxy_metrics if prefixed-with-metrics

frontend http_in
    bind *:80
    mode http

    # force https
    redirect scheme https

# https frontend
frontend https_in
    # backend is assumed to be http, perform ssl termination here
    bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem alpn h2,http/1.1

    mode http
    option httplog

    # set HSTS
    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains;"

    # set X-Forward-For
    option forwardfor

    # set X-Forwarded-Proto
    http-request set-header X-Forwarded-Proto https

    default_backend default_backend

{% for http_route in https_routing %}
    use_backend https_{{ http_route.frontend[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.frontend %}{{ src }} {% endfor %}}{% if 'allowlist' in http_route %} { src {% for ip in http_route.allowlist %}{{ ip }} {% endfor %}}{% endif %} 
{% endfor %}

## BACKENDS ##

# stat backend
backend haproxy_stats
    mode http
    stats uri /stats
    stats enable
    stats refresh 10s
    stats auth admin:admin

# metric backend
backend haproxy_metrics
    mode http
    http-request use-service prometheus-exporter

backend default_backend
    mode http
    http-request deny deny_status 404

{% for http_route in https_routing %}
# backend for {{ ', '.join(http_route.frontend) }}
backend https_{{ http_route.frontend[0]|replace('.','_') }}
    mode http
    balance roundrobin
{% for dst in http_route.backend %}
    server {{ dst.server }} {{ dst.server }}{% if ':' not in dst.server %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2,http/1.1{% endif %} {{ dst.extra_param|default('') }} 
{% endfor %}

{% endfor %}

## TCP ##

{% for tcp_route in tcp_routing %}
frontend tcp_{{ tcp_route.frontend }}
    bind *:{{ tcp_route.frontend }}
    mode tcp
    use_backend tcp_{{ tcp_route.frontend }}

backend tcp_{{ tcp_route.frontend }}
    mode tcp
{% for dst in tcp_route.backend %}
    server {{ dst.server }} {{ dst.server }} check {{ dst.extra_param|default('') }}
{% endfor %}
{% endfor %}