global log /dev/stderr local0 log /dev/stderr local1 notice user haproxy group haproxy # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /usr/local/etc/haproxy/errors/400.http errorfile 403 /usr/local/etc/haproxy/errors/403.http errorfile 408 /usr/local/etc/haproxy/errors/408.http errorfile 500 /usr/local/etc/haproxy/errors/500.http errorfile 502 /usr/local/etc/haproxy/errors/502.http errorfile 503 /usr/local/etc/haproxy/errors/503.http errorfile 504 /usr/local/etc/haproxy/errors/504.http frontend www mode http bind :80 bind :443 ssl crt /usr/local/etc/haproxy/certs acl has_domain hdr_sub(host) -i comfycamp.space http-request redirect scheme https if !{ ssl_fc } has_domain http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" if { ssl_fc } has_domain acl host_mastodon hdr(host) -i m.comfycamp.space acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion acl path_streaming_api path_beg /api/v1/streaming use_backend mastodon_streaming if host_mastodon path_streaming_api use_backend mastodon_streaming if host_mastodon_tor path_streaming_api use_backend mastodon if host_mastodon || host_mastodon_tor acl host_matrix hdr(host) -i matrix.comfycamp.space matrix.comfycamp.space:443 acl path_matrix path_beg /_matrix acl path_matrix path_beg /_synapse/client use_backend matrix if host_matrix path_matrix acl host_s3 hdr(host) -i s3.comfycamp.space use_backend minio if host_s3 acl host_peertube hdr(host) -i v.comfycamp.space acl host_peertube_tor hdr(host) -i vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion use_backend peertube if host_peertube || host_peertube_tor acl host_authentik hdr(host) -i auth.comfycamp.space use_backend authentik if host_authentik acl host_nextcloud hdr(host) -i nc.comfycamp.space acl url_discovery path /.well-known/caldav /.well-known/carddav http-request redirect location /remote.php/dav/ code 301 if host_nextcloud url_discovery acl path_well_known path_beg /.well-known http-request redirect location /index.php%[capture.req.uri] if host_nextcloud path_well_known use_backend nextcloud if host_nextcloud acl host_comfycamp hdr(host) -i comfycamp.space acl host_comfycamp_tor hdr(host) -i comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion use_backend comfycamp if host_comfycamp || host_comfycamp_tor acl host_vaultwarden hdr(host) -i vault.comfycamp.space use_backend vaultwarden if host_vaultwarden acl host_minio hdr(host) -i minio.comfycamp.space use_backend minio_console if host_minio acl host_git hdr(host) -i git.comfycamp.space use_backend forgejo if host_git acl host_jellyfin hdr(host) -i jf.comfycamp.space use_backend jellyfin if host_jellyfin acl host_grafana hdr(host) -i grafana.comfycamp.space use_backend grafana if host_grafana acl host_mta_sts hdr(host) -i mta-sts.comfycamp.space use_backend mta_sts if host_mta_sts frontend matrix-federation bind *:8448 ssl crt /usr/local/etc/haproxy/certs http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } default_backend matrix frontend authentik_ldap mode tcp bind *:389 default_backend authentik_ldap backend comfycamp mode http http-response set-header Onion-Location http://comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion%[capture.req.uri] server green comfycamp:4000 check backend mastodon mode http option forwardfor http-response set-header Referrer-Policy same-origin http-response set-header Onion-Location http://mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion%[capture.req.uri] server s1 mastodon-web-1:3000 check server s2 mastodon-web-2:3000 check backend mastodon_streaming mode http option forwardfor option http-server-close timeout tunnel 1h server green mastodon-streaming:4000 check backend vaultwarden mode http option forwardfor server green vaultwarden:80 check backend minio_console mode http option forwardfor server green minio:9001 check backend minio mode http http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space option forwardfor server green minio:9000 check backend forgejo mode http option forwardfor server green forgejo:3000 check backend matrix mode http option forwardfor server matrix synapse:8008 backend grafana mode http server grafana grafana:3000 backend peertube mode http option forwardfor http-response set-header Onion-Location http://vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion%[capture.req.uri] server s1 peertube:9000 backend authentik mode http option forwardfor server s1 authentik-1:9000 check server s2 authentik-2:9000 check backend authentik_ldap mode tcp server s1 authentik-ldap-1:3389 check server s2 authentik-ldap-2:3389 check backend nextcloud mode http option forwardfor server s1 nextcloud-1:80 check backend mta_sts mode http server s1 mta-sts-1:8080 check backend jellyfin mode http server s1 jellyfin:8096 check