global
    maxconn 4096
    user root
    group root
    daemon

    tune.ssl.default-dh-param       2048
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

defaults
    log global
    mode http
    balance roundrobin
    maxconn 1024

#   This breaks HTTP2
#    option abortonclose
    option httpclose
    option forwardfor

    retries 3
    option redispatch

    timeout client  30s
    timeout connect 30s
    timeout server  30s

    #option httpchk HEAD /haproxy?monitor HTTP/1.0
    #timeout check 5s
    #stats enable
    #stats uri     /haproxy?stats
    #stats realm   Haproxy\ Statistics
    #stats auth    admin:yourpasswordhere
    #stats refresh 5s

cache mapscache
    total-max-size 1023   # MB
    max-object-size 10000 # bytes
    max-age 30            # seconds

frontend http
    bind :80
    option http-server-close
    redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
    default_backend certbot

backend certbot
    server c1 certbot:80

frontend https
    bind :443 ssl crt /certificates alpn http/1.1

    # CORS
    http-response set-header Access-Control-Allow-Origin "*"
    http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
    http-response set-header Access-Control-Max-Age 3628800
    http-response set-header Access-Control-Allow-Methods "GET"

    # ACL
    acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
    acl is_forestnet hdr(host)-i forest.deflax.net
    acl is_forestdb hdr(host) -i db.forest.deflax.net
    acl is_osmap hdr(host) -i map.deflax.net
    
    tcp-request connection reject if is_forestdb !is_allowed

    use_backend forestnet if is_forestnet
    use_backend forestdb if is_forestdb
    use_backend osmap if is_osmap

backend osmap
    # Get from cache / put in cache
    http-request cache-use mapscache
    http-response cache-store mapscache
    # server list
    server s1 osmtile:80 check

backend forestnet
    # server list
    server s1 flask:5000 check

backend forestdb
    server s1 pgadmin:80 check

#backend docs.deflax.net
#    # server list
#    server s1 swagger:80 check