global
    log stdout  format raw  local0  info
    maxconn 2000

    # intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets


defaults
    log global
    unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
    unique-id-header X-Edge-Request-ID
    option httplog

    timeout connect    3s
    timeout client    10s
    timeout server    10m
    errorfile 400 /etc/easyhaproxy/haproxy/errors-custom/400.http
    errorfile 403 /etc/easyhaproxy/haproxy/errors-custom/403.http
    errorfile 408 /etc/easyhaproxy/haproxy/errors-custom/408.http
    errorfile 500 /etc/easyhaproxy/haproxy/errors-custom/500.http
    errorfile 502 /etc/easyhaproxy/haproxy/errors-custom/502.http
    errorfile 503 /etc/easyhaproxy/haproxy/errors-custom/503.http
    errorfile 504 /etc/easyhaproxy/haproxy/errors-custom/504.http


frontend stats
    bind *:1936
    mode http
    http-request use-service prometheus-exporter if { path /metrics }
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth admin:password
    default_backend srv_stats

backend srv_stats
    mode http
    server Local 127.0.0.1:1936

frontend http_in_80
    bind *:80
    mode http

    acl is_rule_test_example_org_80_1 hdr(host) -i test.example.org
    acl is_rule_test_example_org_80_2 hdr(host) -i test.example.org:80
    acl is_certbot_test_example_org_80 path_beg /.well-known/acme-challenge/
    http-request redirect scheme https code 301 if !is_certbot_test_example_org_80 is_rule_test_example_org_80_1 OR !is_certbot_test_example_org_80 is_rule_test_example_org_80_2
    use_backend certbot_backend if is_certbot_test_example_org_80 is_rule_test_example_org_80_1 OR is_certbot_test_example_org_80 is_rule_test_example_org_80_2

    acl is_rule_test2_example_org_80_1 hdr(host) -i test2.example.org
    acl is_rule_test2_example_org_80_2 hdr(host) -i test2.example.org:80
    use_backend srv_test2_example_org_80 if is_rule_test2_example_org_80_1 OR is_rule_test2_example_org_80_2

backend srv_test_example_org_80
    balance roundrobin
    mode http
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    http-request set-header X-Request-ID %[uuid()]
    server srv-0 f5c645a0dfc6:80 check weight 1
    server srv-1 b63438410b6a:80 check weight 1
backend srv_test2_example_org_80
    balance roundrobin
    mode http
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    http-request set-header X-Request-ID %[uuid()]
    server srv-0 83d57d592e26:8080 check weight 1

frontend http_in_443
    bind *:443  ssl crt /etc/easyhaproxy/certs/certbot/ alpn h2,http/1.1 crt /etc/easyhaproxy/certs/haproxy/ alpn h2,http/1.1
    mode http

    acl is_rule_test_example_org_443_1 hdr(host) -i test.example.org
    acl is_rule_test_example_org_443_2 hdr(host) -i test.example.org:443
    use_backend srv_test_example_org_443 if is_rule_test_example_org_443_1 OR is_rule_test_example_org_443_2

backend srv_test_example_org_443
    balance roundrobin
    mode http
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    http-request set-header X-Request-ID %[uuid()]
    server srv-0 f5c645a0dfc6:80 check weight 1 verify none
    server srv-1 b63438410b6a:80 check weight 1 verify none

backend certbot_backend
    mode http
    server certbot 127.0.0.1:2080
