{% extends 'common/haproxy_base.j2' %}

{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}

{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
{%- for ip in bind_ips %}
    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}  {{ extra }}
{%- endfor %}
{%- endmacro %}

{% block frontend %}
frontend {{ site_name }}
    {{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional  crt-ignore-err all  ca-file /etc/ssl/certs/ca-certificates.crt") }}


    timeout http-request 10s
    timeout http-keep-alive 4s
    option forwardfor
    http-request set-header X-Forwarded-Proto https
    http-request set-header client-cert %{+Q}[ssl_c_der,base64]

    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}


    {{ acme_challenge(letsencrypt_server) }}

    use_backend {{ site_name }}__default
{% endblock frontend %}

{% block backend %}
{{ output_backends(backends,
        config=['option httpchk GET /status/healthy HTTP/1.1',
        'http-check expect string STATUS_OK',
        'http-check send-state',
        'http-check disable-on-404',
        ],
    )
}}
{% endblock backend %}