global log /dev/stderr local0 log /dev/stderr local1 notice user haproxy group haproxy # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /usr/local/etc/haproxy/errors/400.http errorfile 403 /usr/local/etc/haproxy/errors/403.http errorfile 408 /usr/local/etc/haproxy/errors/408.http errorfile 500 /usr/local/etc/haproxy/errors/500.http errorfile 502 /usr/local/etc/haproxy/errors/502.http errorfile 503 /usr/local/etc/haproxy/errors/503.http errorfile 504 /usr/local/etc/haproxy/errors/504.http frontend www mode http bind :80 bind :443 ssl crt /usr/local/etc/haproxy/certs acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion http-request redirect scheme https unless { ssl_fc } || host_mastodon_tor http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } acl host_mastodon hdr(host) -i m.comfycamp.space acl path_streaming_api path_beg /api/v1/streaming use_backend mastodon_streaming if host_mastodon path_streaming_api use_backend mastodon_streaming if host_mastodon_tor path_streaming_api use_backend mastodon if host_mastodon || host_mastodon_tor acl host_matrix hdr(host) -i matrix.comfycamp.space matrix.comfycamp.space:443 acl path_matrix path_beg /_matrix acl path_matrix path_beg /_synapse/client use_backend matrix if host_matrix path_matrix acl host_s3 hdr(host) -i s3.comfycamp.space use_backend minio if host_s3 acl host_peertube hdr(host) -i v.comfycamp.space use_backend peertube if host_peertube acl host_authentik hdr(host) -i auth.comfycamp.space use_backend authentik if host_authentik acl host_comfycamp hdr(host) -i comfycamp.space use_backend comfycamp if host_comfycamp acl host_vaultwarden hdr(host) -i vault.comfycamp.space use_backend vaultwarden if host_vaultwarden acl host_minio hdr(host) -i minio.comfycamp.space use_backend minio_console if host_minio acl host_git hdr(host) -i git.comfycamp.space use_backend forgejo if host_git acl host_grafana hdr(host) -i grafana.comfycamp.space use_backend grafana if host_grafana frontend matrix-federation bind *:8448 ssl crt /usr/local/etc/haproxy/certs http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } default_backend matrix frontend authentik_ldap mode tcp bind *:389 default_backend authentik_ldap backend comfycamp mode http server green comfycamp:4000 check backend mastodon mode http option forwardfor http-response set-header Referrer-Policy same-origin http-response set-header Onion-Location http://mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion%[capture.req.uri] server s1 mastodon-web-1:3000 check server s2 mastodon-web-2:3000 check backend mastodon_streaming mode http option forwardfor option http-server-close timeout tunnel 1h server green mastodon-streaming:4000 check backend vaultwarden mode http option forwardfor server green vaultwarden:80 check backend minio_console mode http option forwardfor server green minio:9001 check backend minio mode http http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space option forwardfor server green minio:9000 check backend forgejo mode http option forwardfor server green forgejo:3000 check backend matrix mode http option forwardfor server matrix synapse:8008 backend grafana mode http server grafana grafana:3000 backend peertube mode http option forwardfor server s1 peertube:9000 backend authentik mode http option forwardfor server s1 authentik-1:9000 check server s2 authentik-2:9000 check backend authentik_ldap mode tcp server s1 authentik-ldap-1:3389 check server s2 authentik-ldap-2:3389 check