#HAproxy version: 1.6.13-1ppa1~trusty
# https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#send-proxy
# https://blog.feryn.eu/varnish-4-1-haproxy-get-the-real-ip-by-leveraging-proxy-protocol-support/
global
#	log /dev/log	local0
#	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	log 127.0.0.1 local0
	log 127.0.0.1 local1 notice
#	log /var/log/haproxy.log local0
#	log /var/log/haproxy.log local1 notice
	user haproxy
	group haproxy
	daemon
	tune.ssl.default-dh-param 2048
	maxconn 2048

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
	option forwardfor header X-Forwarded-For
  option http-server-close
  timeout connect 5s
  timeout client 50s
  timeout server 50s
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

## If switching website from http to https, uncomment below to keep the facebook likes
#frontend www
#	bind *:80
#	mode http
#	reqadd X-Forwarded-Proto:\ http
#	acl facebook_user_agent hdr_sub(User-Agent) -i Facebot facebookexternalhit/1.1
#	use_backend www-backend-fb if facebook_user_agent
#	default_backend varnish_pool

frontend www-https
  bind *:443 ssl crt /etc/haproxy/certs/<website.com>.pem
  reqadd X-Forwarded-Proto:\ https
  reqadd HTTP_X_FORWARDED_PROTO:\ https
  reqadd HTTP-X-FORWARDED-PROTO:\ https
  reqadd X-Forwarded-Port:\ 443
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  use_backend letsencrypt-backend if letsencrypt-acl
## If switching website from http to https, uncomment below to keep the facebook likes
#  acl facebook_user_agent hdr_sub(User-Agent) -i Facebot facebookexternalhit/1.1
#  use_backend www-backend-fb if facebook_user_agent
  default_backend varnish_pool

## If switching website from http to https, uncomment below to keep the facebook likes
#backend www-backend-fb
#     balance roundrobin
#     mode http
#     reqadd X-Forwarded-Proto:\ https
#     reqadd HTTP_X_FORWARDED_PROTO:\ https
#     reqadd HTTP-X-FORWARDED-PROTO:\ https
#     default-server inter 15s fall 3 rise 2
#     option httpchk GET / HTTP/1.0
#     http-check expect status 200
#	    server front1 <front1-IP>:80 check
#	    server front2 <front2-IP>:80 check
#	    server front3 <front3-IP>:80 check

backend varnish_pool
	redirect scheme https if !{ ssl_fc }
	# Use the roundrobin strategy for distributing load amongst the servers
	# leastconn: The server with the lowest number of connections receives the connection. This is better for servers with long-running connections (LDAP, SQL, TSE), but not necessarily for short-lived connections (HTTP).
	balance roundrobin
	# pass HTTP requests to the servers listed
	mode http
  http-response set-header X-Frame-Options DENY
  http-response set-header X-XSS-Protection 1;mode=block
  http-response set-header X-Content-Type-Options nosniff
	http-response set-header Referrer-Policy no-referrer-when-downgrade
	default-server inter 15s fall 3 rise 2
	option httpchk GET / HTTP/1.0
	http-check expect status 200
	server front1 <front1-IP>:80 check
	server front2 <front2-IP>:80 check
	server front3 <front3-IP>:80 check

backend letsencrypt-backend
  server letsencrypt 127.0.0.1:54321

listen statistics
  bind *:1936
  mode http
  stats enable
  stats refresh 30s
  stats show-node
  stats uri /stats
  stats hide-version
  stats auth <username>:<password>