global
    maxconn 4096
    user root
    group root
    daemon

    tune.ssl.default-dh-param       2048

    ssl-default-bind-options ssl-min-ver TLSv1.2
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

defaults
    #log stdout format raw local0 debug
    log stdout format raw local0 notice
    mode http
    balance roundrobin
    maxconn 1024

    timeout client  30s
    timeout connect 30s
    timeout server  30s

    #option httpchk HEAD /haproxy?monitor HTTP/1.0
    #timeout check 5s
    #stats enable
    #stats uri     /haproxy?stats
    #stats realm   Haproxy\ Statistics
    #stats auth    admin:yourpasswordhere
    #stats refresh 5s

# PUBLIC
frontend web
    option tcplog
    bind :80
    bind :443 ssl crt /certificates strict-sni

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
    http-request redirect scheme https code 301 unless { ssl_fc }

    http-request set-header X-Forwarded-Protocol https
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Ssl on
    http-request set-header X-Url-Scheme https
    http-request set-header Host %[ssl_fc_sni]

    # CORS
    http-response set-header Access-Control-Allow-Origin "*"
    http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
    http-response set-header Access-Control-Max-Age 3628800
    http-response set-header Access-Control-Allow-Methods "GET"

    # max-age is mandatory. 16000000 seconds is approximately 6 months. Use a low value during testing.
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"

    # ACLS
    acl is_base ssl_fc_sni -i "${BASE_URL}"
    acl is_stream ssl_fc_sni -i "stream.${BASE_URL}"

    # Router
    use_backend backend_api if is_base
    use_backend backend_restreamer if is_stream

backend backend_api
    option forwardfor
    balance leastconn
    server api1 api:8080 check inter 5s rise 4 fall 2

backend backend_restreamer
    balance leastconn
    server restreamer1 restreamer:8080 check inter 5s rise 4 fall 2