#
# Serve ACME certificate validation challenges and act as an
# SSL reverse-proxy for an arbitrary backend service.
#
global
    log stdout format raw local0 "${PROXY_LOGLEVEL}"

    lua-load /etc/haproxy/lua/haproxy-acme-validation-plugin-0.1.1/acme-http01-webroot.lua

    tune.ssl.default-dh-param 4096
    
	# TLS 1.2-
	ssl-default-bind-ciphers      ECDHE+CHACHA20:ECDHE+AES128:ECDHE+AES256:!MD5
	# TLS 1.3+
	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	# Require TLS 1.2 or higher
	ssl-default-bind-options      ssl-min-ver TLSv1.2 prefer-client-ciphers
	# Works around breaking change in docker 23+ - just uses the old docker default value
	fd-hard-limit 1048576

defaults
    log global
    mode http
    log-format "%T %ft %ci:%cp %s %TR/%Tw/%Tc/%Tr/%Ta %{+Q}r %ST %ac/%fc/%bc/%sc/%rc %sq/%bq"
    timeout connect 30s
    timeout client 60s
    timeout server 60s
    timeout tunnel 720m
    # never fail on address resolution
    default-server init-addr none

resolvers docker_resolver
    nameserver dns 127.0.0.11:53


frontend stats
   bind *:8404
   http-request use-service prometheus-exporter if { path /metrics }
   stats enable
   stats uri /stats
   stats refresh 10s

frontend http
    bind *:80

    # Serve certificate validation challenges directly with Lua plugin
    acl url_acme_http01 path_beg /.well-known/acme-challenge/
    http-request use-service lua.acme-http01 if METH_GET url_acme_http01

    # Static health endpoint for docker healthcheck (don't log it)
    acl url_docker_health path /docker-health
    http-request set-log-level silent if url_docker_health
    http-request return status 200 if url_docker_health

    # Redirect all http requests to https
    redirect scheme https code 301 if !url_acme_http01 !url_docker_health

frontend https
    bind *:443 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets

    # Optional: redirects for root requests with certain host names to service paths
    acl is_root path -i /

	.if defined(PROXY_HOST_REDIRECT_1_TARGET)
		acl is_redirect_1 hdr(host) -i ${PROXY_HOST_REDIRECT_1_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_1_TARGET) if is_root is_redirect_1
	.endif
	.if defined(PROXY_HOST_REDIRECT_2_TARGET)
		acl is_redirect_2 hdr(host) -i ${PROXY_HOST_REDIRECT_2_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_2_TARGET) if is_root is_redirect_2
	.endif
	.if defined(PROXY_HOST_REDIRECT_3_TARGET)
		acl is_redirect_3 hdr(host) -i ${PROXY_HOST_REDIRECT_3_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_3_TARGET) if is_root is_redirect_3
	.endif
	.if defined(PROXY_HOST_REDIRECT_4_TARGET)
		acl is_redirect_4 hdr(host) -i ${PROXY_HOST_REDIRECT_4_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_4_TARGET) if is_root is_redirect_4
	.endif
	.if defined(PROXY_HOST_REDIRECT_5_TARGET)
		acl is_redirect_5 hdr(host) -i ${PROXY_HOST_REDIRECT_5_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_5_TARGET) if is_root is_redirect_5
	.endif
	.if defined(PROXY_HOST_REDIRECT_6_TARGET)
		acl is_redirect_6 hdr(host) -i ${PROXY_HOST_REDIRECT_6_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_6_TARGET) if is_root is_redirect_6
	.endif
	.if defined(PROXY_HOST_REDIRECT_7_TARGET)
		acl is_redirect_7 hdr(host) -i ${PROXY_HOST_REDIRECT_7_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_7_TARGET) if is_root is_redirect_7
	.endif
	.if defined(PROXY_HOST_REDIRECT_8_TARGET)
		acl is_redirect_8 hdr(host) -i ${PROXY_HOST_REDIRECT_8_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_8_TARGET) if is_root is_redirect_8
	.endif
	.if defined(PROXY_HOST_REDIRECT_9_TARGET)
		acl is_redirect_9 hdr(host) -i ${PROXY_HOST_REDIRECT_9_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_9_TARGET) if is_root is_redirect_9
	.endif
	.if defined(PROXY_HOST_REDIRECT_10_TARGET)
		acl is_redirect_10 hdr(host) -i ${PROXY_HOST_REDIRECT_10_NAME}
		http-request redirect code 302 location https://env(DOMAINNAME)env(PROXY_HOST_REDIRECT_10_TARGET) if is_root is_redirect_10
	.endif

    # Enable X-Forwarded header(s)
    option forwardfor
    http-request add-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    http-request add-header X-Forwarded-Port %[dst_port]
    http-request add-header Strict-Transport-Security max-age=15768000

    acl auth path_beg /auth
    use_backend keycloak_backend if auth
    use_backend manager_backend

listen mqtt
    bind *:8883 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets
    mode tcp
    #Use this to avoid the connection loss when client subscribed for a topic and its idle for sometime
    option clitcpka # For TCP keep-alive
    timeout client 3h #By default TCP keep-alive interval is 2hours in OS kernal, 'cat /proc/sys/net/ipv4/tcp_keepalive_time'
    timeout server 3h #By default TCP keep-alive interval is 2hours in OS kernal
    option logasap
    log-format "%T %ft CLIENT=%ci:%cp BACKEND=%bi:%bp %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
    balance leastconn

    server manager "${MANAGER_HOST}":"${MANAGER_MQTT_PORT}" resolvers docker_resolver

backend manager_backend
  server manager "${MANAGER_HOST}":"${MANAGER_WEB_PORT}" resolvers docker_resolver

backend keycloak_backend
  server keycloak "${KEYCLOAK_HOST}":"${KEYCLOAK_PORT}" resolvers docker_resolver