global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend www
    mode http
    bind :80
    bind :443 ssl crt /etc/haproxy/certs
    http-request redirect scheme https unless { ssl_fc }
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

    acl acl_mastodon hdr(host) -i m.comfycamp.space
    acl acl_s3 hdr(host) -i s3.comfycamp.space
    acl acl_comfycamp hdr(host) -i comfycamp.space
    acl acl_vaultwarden hdr(host) -i vault.comfycamp.space
    acl acl_minio hdr(host) -i minio.comfycamp.space

    use_backend mastodon_streaming if acl_mastodon { path_beg /api/v1/streaming }
    use_backend mastodon if acl_mastodon
    use_backend minio if acl_s3
    use_backend minio_console if acl_minio
    use_backend vaultwarden if acl_vaultwarden
    use_backend comfycamp if acl_comfycamp


backend comfycamp
    mode http
    server green 127.0.0.1:8080 check

backend mastodon
    mode http
    option forwardfor
    server green 127.0.0.1:3000 check

backend mastodon_streaming
    mode http
    option forwardfor
    option http-server-close
    timeout tunnel 1h
    server green 127.0.0.1:3001 check

backend vaultwarden
    mode http
    option forwardfor
    server green 127.0.0.1:3002 check

backend minio_console
    mode http
    option forwardfor
    server green 127.0.0.1:3003 check

backend minio
    mode http
    http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space
    option forwardfor
    server green 127.0.0.1:9000 check