#global configuration
global
	# optional: extensively log incoming requests
	# logs end up where /etc/rsyslog.d/haproxy.conf decides
	# right now thats in /var/log/haproxy.log
	# also enable the lines in default
	log /dev/log local0 notice

	# drop back from root asap
	user haproxy
	group haproxy
	# limit the number of processes and threads
	# since we run on limited hw
	nbproc 1
	nbthread 1
	# limit connections (due to hw)
	maxconn 200


defaults
	# optional loggin
	log global
	option httplog

	# timeouts
    timeout client 30s
    timeout connect 4s
    timeout server 30s
    # timeouts to limit ddos capabilities
    timeout http-request 10s
    timeout http-keep-alive 2s
    timeout queue 5s
    timeout tunnel 2m
    timeout client-fin 1s
    timeout server-fin 1s


frontend stats
	mode http
	bind *:9999
	stats enable
	stats uri /stats
	stats refresh 1s
	
	# stats admin false
	stats auth admin:pass

	# stats page only accessible from two ips
	acl network_allowed src 192.168.1.46 LOCALHOST
	http-request deny if !network_allowed


frontend matrix
	mode http
	bind *:8448 ssl crt /etc/ssl/certs/domain.dev.pem
	acl url_matrix path_beg /_matrix
	use_backend matrix if url_matrix


frontend http
	mode http
	bind *:80 # only used for letsencryt backend

	# redirect if using http, except if meant for letsencrypt
	# backend. code 301 (permanent redirect) as we only host https
	acl url_letsencrypt path_beg /.well-known/acme-challenge/
	http-request redirect scheme https code 301 unless url_letsencrypt
	use_backend letsencrypt

frontend https
	mode http
	bind *:443 ssl crt /etc/ssl/certs/domain.dev.pem

	# req.hdr(host) gets the url, change to lowercase then
	# send request to a backend following the map
	# note that no spaces are allowed here
	use_backend %[base,lower,map_beg(/etc/haproxy/hosts.map)]


backend letsencrypt # no need to check health
	mode http
	server certbot 127.0.0.1:42

backend server_a # no need to check health
	mode http
	server webserver 127.0.0.1:43 check

backend server_b
	mode http
	server conduit 127.0.0.1:44 check

backend server_c
	mode http
	server microbin 127.0.0.1:45 check

backend server_d
    mode http
    server home_automation 127.0.0.1:46 check

backend server_e
    mode http
    server  data_splitter 127.0.0.1:47 check

backend server_f
    mode http
    server data_server 127.0.0.1:48 check

backend server_g
    mode http
    server data_server_dev 127.0.0.1:49 check