global log /dev/stderr local0 warning user haproxy group haproxy # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option forwardfor option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /usr/local/etc/haproxy/errors/400.http errorfile 403 /usr/local/etc/haproxy/errors/403.http errorfile 408 /usr/local/etc/haproxy/errors/408.http errorfile 500 /usr/local/etc/haproxy/errors/500.http errorfile 502 /usr/local/etc/haproxy/errors/502.http errorfile 503 /usr/local/etc/haproxy/errors/503.http errorfile 504 /usr/local/etc/haproxy/errors/504.http default-server init-addr last,libc,none frontend http mode http bind :80 acl has_domain hdr_sub(host) -i comfycamp.space http-request redirect scheme https if !{ ssl_fc } has_domain http-request set-header X-Forwarded-Proto http acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion acl path_streaming_api path_beg /api/v1/streaming use_backend mastodon_streaming if host_mastodon_tor path_streaming_api use_backend mastodon if host_mastodon_tor acl host_peertube_tor hdr(host) -i vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion use_backend peertube if host_peertube_tor acl host_comfycamp_tor hdr(host) -i comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion use_backend comfycamp if host_comfycamp_tor frontend https mode http bind :443 ssl crt /usr/local/etc/haproxy/certs http-request set-header X-Forwarded-Proto https http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" acl host_mastodon hdr(host) -i m.comfycamp.space acl path_streaming_api path_beg /api/v1/streaming use_backend mastodon_streaming if host_mastodon path_streaming_api use_backend mastodon if host_mastodon acl host_xmpp hdr(host) -i xmpp.comfycamp.space acl host_xmpp_uploads hdr(host) -i upload.comfycamp.space use_backend prosody if host_xmpp || host_xmpp_uploads acl host_matrix hdr(host) -i matrix.comfycamp.space matrix.comfycamp.space:443 acl path_matrix path_beg /_matrix acl path_matrix path_beg /_synapse/client use_backend matrix if host_matrix path_matrix acl host_s3 hdr(host) -i s3.comfycamp.space use_backend minio if host_s3 acl host_peertube hdr(host) -i v.comfycamp.space use_backend peertube if host_peertube acl host_authentik hdr(host) -i auth.comfycamp.space use_backend authentik if host_authentik acl host_nextcloud hdr(host) -i nc.comfycamp.space acl url_discovery path /.well-known/caldav /.well-known/carddav http-request redirect location /remote.php/dav/ code 301 if host_nextcloud url_discovery acl path_well_known path_beg /.well-known http-request redirect location /index.php%[capture.req.uri] if host_nextcloud path_well_known use_backend nextcloud if host_nextcloud acl host_immich hdr(host) -i i.comfycamp.space use_backend immich if host_immich acl host_comfycamp hdr(host) -i comfycamp.space use_backend comfycamp if host_comfycamp acl host_vaultwarden hdr(host) -i vault.comfycamp.space use_backend vaultwarden if host_vaultwarden acl host_minio hdr(host) -i minio.comfycamp.space use_backend minio_console if host_minio acl host_git hdr(host) -i git.comfycamp.space use_backend forgejo if host_git acl host_uptime hdr(host) -i uptime.comfycamp.space use_backend uptime_kuma if host_uptime acl host_jellyfin hdr(host) -i jf.comfycamp.space use_backend jellyfin if host_jellyfin acl host_freshrss hdr(host) -i rss.comfycamp.space use_backend freshrss if host_freshrss acl host_ai hdr(host) -i ai.comfycamp.space use_backend openwebui if host_ai acl host_grafana hdr(host) -i grafana.comfycamp.space use_backend grafana if host_grafana acl host_phoenix hdr(host) -i ph.comfycamp.space use_backend phoenix if host_phoenix acl host_archivebox hdr(host) -i archive.comfycamp.space use_backend archivebox if host_archivebox acl host_mta_sts hdr(host) -i mta-sts.comfycamp.space use_backend mta_sts if host_mta_sts frontend matrix-federation bind :8448 ssl crt /usr/local/etc/haproxy/certs http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } default_backend matrix frontend authentik_ldap mode tcp bind *:389 default_backend authentik_ldap backend comfycamp mode http option httpchk GET /health http-check expect status 200 http-response set-header Onion-Location http://comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion%[capture.req.uri] server s1 comfycamp:4000 check inter 15s backend mastodon mode http option httpchk GET /health http-check expect status 200 http-response set-header Referrer-Policy same-origin http-response set-header Onion-Location http://mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion%[capture.req.uri] server s1 mastodon-web-1:3000 check inter 10s server s2 mastodon-web-2:3000 check inter 10s backend mastodon_streaming mode http option httpchk GET /api/v1/streaming/health http-check expect status 200 option http-server-close timeout tunnel 1h server green mastodon-streaming:4000 check inter 10s backend vaultwarden mode http server green vaultwarden:80 check backend minio_console mode http server green minio:9001 check backend minio mode http http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space server green minio:9000 check backend forgejo mode http server green forgejo:3000 check backend matrix mode http server matrix synapse:8008 check backend grafana mode http server grafana grafana:3000 check backend peertube mode http option httpchk GET /.well-known/nodeinfo http-response set-header Onion-Location http://vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion%[capture.req.uri] server s1 peertube:9000 check inter 15s backend authentik mode http option httpchk GET /-/health/live/ http-check expect status 200 server s1 authentik-1:9000 check inter 10s server s2 authentik-2:9000 check inter 10s backend authentik_ldap mode tcp option httpchk http-check connect port 9300 http-check send meth GET uri /outpost.goauthentik.io/ping http-check expect status 204 server s1 authentik-ldap-1:3389 check inter 10s server s2 authentik-ldap-2:3389 check inter 10s backend nextcloud mode http option httpchk http-check send meth GET uri /status.php hdr Host nc.comfycamp.space http-check expect status 200 cookie SERVER insert indirect nocache server s1 nextcloud-1:80 check inter 15s cookie s1 server s2 nextcloud-2:80 check inter 15s cookie s2 backend mta_sts mode http server s1 mta-sts-1:8080 check backend jellyfin mode http server s1 jellyfin:8096 check backend prosody mode http option http-server-close timeout tunnel 1h server s1 prosody:5280 check backend immich mode http option http-server-close timeout tunnel 1h server s1 immich-1:2283 check backend archivebox server s1 archivebox-1:8000 check backend freshrss server s1 freshrss-1:80 check backend phoenix server s1 phoenix-1:8080 check backend uptime_kuma server s1 uptime-kuma-1:3001 check backend openwebui server s1 open-webui-1:8080