# {{ ansible_managed }}

##########
# Global #
##########

global
    ca-base  /etc/ssl/certs
    chroot   /var/lib/haproxy
    crt-base /etc/ssl/private
    log /dev/log local0 info
    log /dev/log local1 notice
    log-tag haproxy
    maxconn 20000
    pidfile /var/run/haproxy.pid
    spread-checks 8

    ssl-default-bind-ciphers        ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites   TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options        prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers      ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-HA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options      no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-server-verify               none

    stats socket /var/lib/haproxy/stats mode 600 level admin

    tune.bufsize              65536
    tune.maxrewrite           32768
    tune.ssl.cachesize        100000
    tune.ssl.default-dh-param 2048
    tune.ssl.lifetime         600
    tune.ssl.maxrecord        1460

############
# Defaults #
############

defaults 000-main
    compression algo gzip
    compression type text/html text/plain text/xml text/css text/javascript application/javascript application/json text/json image/svg+xml
    log global
    mode http

    option httplog
    option http-server-close
    option dontlognull
    option forwardfor
    option redispatch

    retries 3

    stats realm Haproxy\ Statistics
    stats show-desc Haproxy\ Statistics
    stats show-node {{ ansible_hostname }}
    stats uri /haproxy-stats
    stats refresh 5s
    stats hide-version
    stats show-legends

    timeout http-request 60s
    timeout queue        60s
    timeout connect      60s
    timeout client       60s
    timeout server       60s
    timeout check        10s

############
# Userlist #
############

userlist prod
    group ADMIN
    user brainsys password  $6$whKvhQcRLecqnNlC$CZS.p3EHfJDmC9H6KDeLkwOddLOPvPuEUDsaR3iLGbXU3eJ9kKcGDfq.Y59qgX2Q10x2Q2QuJ0lAcs0T2eAfa. groups ADMIN

#############
# Frontends #
#############

frontend stats
    bind   *:8404
    option httpclose
    stats  enable
    stats  uri /stats
    stats  refresh 10s
    http-request use-service prometheus-exporter if { path /metrics }

frontend prd_frontend1
    bind {{ haproxy_bind_ip }}:80
    bind {{ haproxy_bind_ip }}:443 ssl crt /etc/haproxy/ssl/certs

    mode http
    option http-server-close
    option forwardfor
    log-format %ci\ -\ [%Tl]\ %{+Q}r\ %ST\ %B\ %{+Q}hrl\ ---\ %{+Q}[var(txn.SCHEME)]\ %{+Q}[var(txn.COUNTRY)]\ %b\ %s\ %{+Q}hsl\ %Tq/%Tw/%Tc/%Tr/%Tt

    ## acl ##
    acl has_DEBUG                       always_false
    acl has_SCHEME_HTTPS                ssl_fc
    acl has_BYPASS_MAINTENANCE          always_false
    acl has_MAINTENANCE                 always_false
    acl has_BYPASS_CACHE                hdr_sub(X-Requested-With) XMLHttpRequest
    acl has_BYPASS_CACHE                method POST
    acl has_AUTHORIZATION               always_false
    acl has_HEADER_X_FORWARDED_FOR      hdr(X-Forwarded-For) -m found
    acl has_HEADER_CF_CONNECTING_IP     hdr(CF-Connecting-IP) -m found
    acl has_HEADER_CF_TRUE_CLIENT_IP    hdr(True-Client-IP) -m found # was cf_hdr_found
    acl to_RESTRICTED_AREA              path_beg -i /haproxy-stats
    acl to_ACME_CHALLENGE               path_beg /.well-known/acme-challenge/
    acl is_auth_ok                      http_auth(prod)
    acl is_HAPROXY_STATS                path_beg -i /haproxy
    acl is_localhost                    hdr(host) -i localhost
    acl is_POST                         method POST
    acl is_DELETE                       method DELETE
    acl disable_AUTH_to_RESTRICTED_AREA always_false
    acl disable_REDIRECT_TO_HTTPS       always_false
    acl disable_REDIRECT_TO_HTTPS       hdr(host) -i localhost {{ ansible_hostname }}
    acl disable_REDIRECT_TO_HTTPS       path_beg -i /.well-known/acme-challenge/


    ## capture ##
    capture request  header X-Forwarded-For len 64
    capture request  header CF-Connecting-IP len 64
    capture request  header Referer len 64
    capture request  header User-Agent len 512
    capture request  header Host len 128
    capture response header Content-Length len 10
    capture response header X-Cache len 4
    capture response header X-Cache-Hits len 8
    capture response header Cache-Control len 64
    capture response header X-UA-Device len 8

    ## http-response ##
    http-response add-header Strict-Transport-Security max-age=15768000
    http-response add-header Referrer-Policy no-referrer-when-downgrade
    http-response del-header Server if !has_DEBUG
    http-response del-header X-Generator if !has_DEBUG
    http-response del-header X-Apache-Server-ID if !has_DEBUG
    http-response del-header X-Vhost-ID if !has_DEBUG
    http-response del-header x-url if !has_DEBUG
    http-response del-header X-UA-Device if !has_DEBUG
    http-response del-header X-Cache-Hits if !has_DEBUG
    http-response del-header X-Powered-By if !has_DEBUG
    http-response del-header X-Served-By if !has_DEBUG
    http-response del-header X-Varnish-Ip if !has_DEBUG
    http-response del-header X-Varnish-Port if !has_DEBUG
    http-response del-header via if !has_DEBUG
    http-response set-header X-XSS-Protection "1; mode=block"
    http-response set-header X-Content-Type-Options nosniff
    http-response del-header content-security-policy-report-only
    # no follow / no index !!!
    http-response set-header X-Robots-Tag "noindex, nofollow"

    ## http-request ##
    http-request set-src hdr_ip(CF-Connecting-IP) if has_HEADER_CF_CONNECTING_IP 
    http-request set-src hdr_ip(X-Forwarded-For) if has_HEADER_X_FORWARDED_FOR 
    http-request set-src hdr(True-Client-IP) if has_HEADER_CF_TRUE_CLIENT_IP
    http-request set-header X-Client-IP %[src]
    http-request set-header X-Forwarded-For %[src]
    http-request set-header X-Forwarded-Proto https if has_SCHEME_HTTPS
    http-request set-header X-Forwarded-Port 443 if has_SCHEME_HTTPS
    http-request set-header X-Forwarded-Port 80 if !has_SCHEME_HTTPS
    http-request set-var(txn.SCHEME) hdr(X-Forwarded-Proto)
    http-request set-var(txn.host) hdr(Host)
    http-request set-var(txn.path) path
    http-request redirect code 301 scheme https if !has_SCHEME_HTTPS !disable_REDIRECT_TO_HTTPS
    http-request del-header authorization if to_RESTRICTED_AREA has_AUTHORIZATION
    http-request del-header user-agent if { hdr(user-agent) -i HAPROXY-LB-Check VARNISH-LB-Check  }
    http-request del-header Authorization if is_auth_ok
    http-request deny if to_RESTRICTED_AREA !has_AUTHORIZATION
    http-request deny if is_HAPROXY_STATS !is_localhost
    http-request auth realm "haproxy statistics - Limited access" if !is_auth_ok is_HAPROXY_STATS
    http-request auth realm "You need a valid user and password to access this content. Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected" if to_RESTRICTED_AREA !has_AUTHORIZATION !disable_AUTH_to_RESTRICTED_AREA
    ## end http-request ##

    ## use backends ##
    default_backend prd_backend

############
# Backends #
############
backend prd_backend
     mode http
     server nginx 127.0.0.1:80 check inter 3s