# ----- global configuration ----- #
global
	log		/dev/log local0

	chroot		/var/lib/haproxy
	pidfile		/var/run/haproxy.pid

	user		haproxy
	group		haproxy
	daemon

	# turn on stats unix socket
	stats		socket {{ haproxy_path_socket }} mode 660 level admin
	stats		timeout 30s

	# Default SSL material locations
	ca-base		/etc/ssl/certs
	crt-base	/etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-options	no-sslv3
	ssl-default-bind-ciphers	ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM

	ssl-default-server-options	no-sslv3
	ssl-default-server-ciphers	ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM

	tune.ssl.default-dh-param	2048


# ----- default configuration options ----- #
defaults
	mode	http
	balance	roundrobin
	log	global
	option	httplog
	option	dontlognull
	option	http-server-close
	option	forwardfor except 127.0.0.0/8
	option	redispatch
	#option	httpchk HEAD /haproxy.check HTTP/1.1\r\nHost:localhost
	option	httpchk
	http-check send meth HEAD uri /haproxy.check ver HTTP/1.1 hdr Host localhost

	maxconn	3000
	retries	3

	timeout	http-request	10s
	timeout	queue		1m
	timeout	connect		10s
	timeout	client		1m
	timeout	server		1m
	timeout	http-keep-alive	10s
	timeout	check		10s

	# errorfile	400	/etc/haproxy/errors/400.http
	# errorfile	403	/etc/haproxy/errors/403.http
	# errorfile	408	/etc/haproxy/errors/408.http
	# errorfile	500	/etc/haproxy/errors/500.http
	# errorfile	502	/etc/haproxy/errors/502.http
	# errorfile	503	/etc/haproxy/errors/503.http
	# errorfile	504	/etc/haproxy/errors/504.http


# ----- statistics frontend ----- #
listen stats
	bind	:::1936 v4v6
	stats	enable
	stats	uri /
	stats	refresh 30s
	#stats	hide-version
	stats	auth admin:admin


# ----- frontends ----- #
frontend	http
	bind		:::80 v4v6
{% if haproxy_sslcert_src|default(False) %}	bind		:::443 v4v6 ssl crt /etc/haproxy/ssl.pem
{% endif %}
	mode		http

	acl	url_static	path_beg -i /static /images /javascript /stylesheets
	acl	url_static	path_end -i .jpg .jpeg .gif .png .html .htm .css .js

	use_backend		static	if url_static
	default_backend		dynamic


# ----- backends ----- #
backend		static
{% for host in groups['worker'] %}
	server  {{ host }}  {{ hostvars[host]['ansible_default_ipv4'].address }}:80 # check
{% endfor %}


backend		dynamic
	http-request	set-header X-Forwarded-Port %[dst_port]
	http-request	add-header X-Forwarded-Proto https if { ssl_fc }

{% for host in groups['worker'] %}
	server  {{ host }}  {{ hostvars[host]['ansible_default_ipv4'].address }}:80 check inter 2s fastinter 1s fall 3 rise 2
{% endfor %}