# {{ ansible_managed }}

global
    user haproxy
    group haproxy
    tune.ssl.default-dh-param 2048
    log 127.0.0.1 local0
    log 127.0.0.1 local1 notice

defaults
    timeout client  600000   # maximum inactivity time on the client side
    timeout server  600000   # maximum inactivity time on the server side
    timeout connect 8000     # maximum time to wait for a connection attempt to a server to succeed

    retries     5
    option redispatch

frontend unsecured
    mode http
    bind :80

{% for redir in web_forwards %}
    acl di_{{ redir.redirect_name }} hdr(host) -i {{ redir.hostname }}
    redirect prefix https://{{ redir.hostname }} if di_{{ redir.redirect_name }}
{% endfor %}

frontend web_ssl
    bind :443 ssl crt {{ di_certificates_wildcard_dualinventive_bundle }} crt {{ di_certificates_wildcard_mtinfo3000_bundle }} no-sslv3 ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

{% for redir in web_forwards %}
    acl sni_{{ redir.redirect_name }} ssl_fc_sni -i {{ redir.hostname }}
{% if redir.restrict|default([])|length > 0 %}
    acl allowed_{{ redir.redirect_name }} src {{ redir.restrict | join(" ") }}
    use_backend backend_{{ redir.redirect_name }} if sni_{{ redir.redirect_name }} allowed_{{ redir.redirect_name }}
    tcp-request content reject if sni_{{ redir.redirect_name }} !allowed_{{ redir.redirect_name }}
{% else %}
    use_backend backend_{{ redir.redirect_name }} if sni_{{ redir.redirect_name }}
{% endif %}

{% endfor %}

{% for redir in web_forwards %}
backend backend_{{ redir.redirect_name }}
    mode http

    option http-server-close
    option forwardfor

    server {{ redir.redirect }} {{ redir.redirect }}:{{ redir.redirect_port }} check

    stats enable
    stats auth              monitor:DualInventive
    stats uri               /haproxymonitor
    stats refresh   5s

    errorfile 503 /etc/haproxy/errors/503.http

{% endfor %}