# haproxy for SUNET frontend load balancer nodes.
#
{% from "common/haproxy_macros.j2" import output_backends %}

{% block global %}
global
    log stdout  format raw  local0  debug

    daemon
    maxconn 256
    stats socket /haproxy_control/stats mode 660
    #server-state-file /tmp/server_state

    # whole container is started as non-root
    #user haproxy
    #group haproxy

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Mozilla Guideline v5.7 intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    # end Mozilla config

    tune.ssl.default-dh-param 2048

    spread-checks 20



{% endblock global %}


{% block defaults %}
defaults
    log global
    mode http
    option httplog
    option dontlognull
    option redispatch
    option forwardfor
    # funny looking values because recommendation is to have these slightly
    # above mulitples of three seconds to play nice with TCP resend timers
    timeout check 5s
    timeout connect 4s
    timeout client 17s
    timeout server 17s
    timeout http-request 5s

    # never fail on address resolution
    default-server init-addr libc,none
    balance roundrobin
{% endblock defaults %}

{% block stats %}
frontend LB-http
    # expose stats info over HTTP to exabgp
    bind 127.0.0.1:9000
    http-request set-log-level silent
    default_backend LB

backend LB
    stats enable
    #stats hide-version
    stats uri /haproxy_stats
{% endblock stats %}


{% block global_backends %}
{% if letsencrypt_server is defined %}
backend letsencrypt_{{ letsencrypt_server }}
  server letsencrypt_{{ letsencrypt_server }} {{ letsencrypt_server }}:80
{% else %}
# letsencrypt_backend not defined
{% endif %}
{% endblock global_backends %}


{% block https_everything %}
#
# Redirect _everything_ to HTTPS
frontend http-frontend
    bind 0.0.0.0:80
    bind :::80

    redirect scheme https code 301 if !{ ssl_fc } ! { path_beg /.well-known/acme-challenge/ }
{% if letsencrypt_server is defined %}
    use_backend letsencrypt_{{ letsencrypt_server }} if { path_beg /.well-known/acme-challenge/ }
{% else %}
    # letsencrypt_backend not defined
{% endif %}
{% endblock https_everything %}

#
# Frontend section
#
{% block frontend %}
{% endblock frontend %}


#
# Backend section
#
{% block pre_backend %}
{% endblock pre_backend %}

{% block backend %}
{{ output_backends(backends, config=[]) }}
{% endblock backend %}