global
    log stdout  format raw  local0  debug

    daemon
    maxconn 256
    stats socket /haproxy_control/stats mode 660
    #server-state-file /tmp/server_state

    # whole container is started as non-root
    #user haproxy
    #group haproxy

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Mozilla Guideline v5.7 intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    # end Mozilla config

    tune.ssl.default-dh-param 2048

    spread-checks 20

defaults
    log global
    mode http
    option httplog
    option dontlognull
    option redispatch
    option forwardfor
    # funny looking values because recommendation is to have these slightly
    # above mulitples of three seconds to play nice with TCP resend timers
    timeout check 5s
    timeout connect 4s
    timeout client 17s
    timeout server 17s
    timeout http-request 5s

    # never fail on address resolution
    default-server init-addr libc,none
    balance roundrobin

frontend LB-http
    # expose stats info over HTTP to exabgp
    bind 127.0.0.1:9000
    http-request set-log-level silent
    default_backend LB

backend LB
    stats enable
    #stats hide-version
    stats uri /haproxy_stats

{% block frontend %}
frontend http-frontend
    bind 0.0.0.0:80
    bind :::80

    use_backend {{site_name}}__letsencrypt

frontend {{ site_name }}
    log stdout format raw local0 debug
    mode tcp
    bind 0.0.0.0:443
    bind :::443

    stats enable

    use_backend {{ site_name }}__default

frontend {{ site_name }}__16443
    mode tcp
    bind 0.0.0.0:16443
    bind :::16443

    use_backend {{ site_name }}__16443
{% endblock frontend %}

{% block backend %}
backend {{ site_name }}__16443
    mode tcp
    balance leastconn
    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:16443 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:16443 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:16443 check inter 1s rise 30 fall 3
backend {{ site_name }}__default
    mode tcp
    balance leastconn
    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:443 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:443 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:443 check inter 1s rise 30 fall 3
backend {{ site_name }}__letsencrypt
    mode http
    balance leastconn
    server internal-dco-test-k8sc-1.streams.sunet.se_v4 89.47.191.134:80 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-2.streams.sunet.se_v4 89.47.191.169:80 check inter 1s rise 30 fall 3
    server internal-dco-test-k8sc-3.streams.sunet.se_v4 89.47.190.18:80 check inter 1s rise 30 fall 3
{% endblock backend %}