global
    maxconn 4096
    # https://stackoverflow.com/a/50480260
    # https://serverfault.com/a/984667
    hard-stop-after 600s
    #tune.ssl.default-dh-param 2048

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    #log global
    #log 127.0.0.1 local0 debug
    #option tcplog

# https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
frontend https-in
    mode http
    #bind *:443 ssl crt /etc/letsencrypt/haproxy/${NEXTCLOUD_URL}.pem crt /etc/letsencrypt/haproxy/${GITEA_URL}.pem
    bind *:443 ssl ${HAPROXY_CERTS}

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    #acl nextcloud-acl ssl_fc_sni ${NEXTCLOUD_URL}
    #acl gitea-acl ssl_fc_sni ${GITEA_URL}
    acl nextcloud-acl ssl_fc_sni_reg ^${NEXTCLOUD_SERVER_NAME}\.
    acl gitea-acl ssl_fc_sni_reg ^${GITEA_SERVER_NAME}\.
    #acl blog1-acl ssl_fc_sni_reg ^${BLOG_1_SERVER_NAME}\.
    acl hauk-acl ssl_fc_sni_reg ^${HAUK_SERVER_NAME}\.

    use_backend letsencrypt-backend if letsencrypt-acl
    use_backend nextcloud if nextcloud-acl
    use_backend gitea if gitea-acl
    #use_backend blog1 if blog1-acl
    use_backend hauk if hauk-acl

    default_backend nextcloud

backend nextcloud
    # http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#option%20http-server-close
    #option http-server-close
    #option forwardfor

    #redirect http to https
    #redirect scheme https if !{ ssl_fc }

    # https://www.haproxy.com/de/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
    # https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"

    server nextcloud nextcloud:443 maxconn 32 check ssl verify none

backend gitea
    #redirect http to https
    #redirect scheme https if !{ ssl_fc }

    server gitea gitea:2443 maxconn 32 check ssl verify none

#backend blog1
#    # https://forum.ghost.org/t/cant-get-full-site-ssl/12478/6
#    # https://blog.woodenstake.se/starting-a-blog-again/
#    option forwardfor
#    http-request set-header X-Forwarded-Port %[dst_port]
#    http-request add-header X-Forwarded-Proto https if { ssl_fc }
#    server blog1 blog1:2368 maxconn 32

backend hauk
    server hauk hauk:80 maxconn 32

frontend http-in
    bind *:80
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    #acl is_nextcloud hdr_end(host) -i ${NEXTCLOUD_URL}
    #acl is_gitea hdr_end(host) -i ${GITEA_URL}
    acl is_nextcloud hdr_reg(host) ^${NEXTCLOUD_SERVER_NAME}\.
    acl is_gitea hdr_reg(host) ^${GITEA_SERVER_NAME}\.
    acl is_hauk hdr_reg(host) ^${HAUK_SERVER_NAME}\.

    use_backend letsencrypt-backend if letsencrypt-acl
    use_backend nextcloud-insecure if is_nextcloud
    use_backend gitea-insecure if is_gitea
    use_backend hauk-insecure if is_hauk
    #default_backend pihole-insecure

backend nextcloud-insecure
    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
    server nextcloud nextcloud:80 maxconn 32

backend gitea-insecure
    server gitea gitea:3000 maxconn 32

backend hauk-insecure
    server hauk hauk:80 maxconn 32

#backend pihole-insecure
#    server pihole pihole:80 maxconn 32

# LE Backend
backend letsencrypt-backend
    server letsencrypt 127.0.0.1:8888

#listen admin
#    bind 127.0.0.1:8080
#        stats enable