global
	log /dev/stderr	local0
	log /dev/stderr	local1 notice
	user haproxy
	group haproxy

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /usr/local/etc/haproxy/errors/400.http
	errorfile 403 /usr/local/etc/haproxy/errors/403.http
	errorfile 408 /usr/local/etc/haproxy/errors/408.http
	errorfile 500 /usr/local/etc/haproxy/errors/500.http
	errorfile 502 /usr/local/etc/haproxy/errors/502.http
	errorfile 503 /usr/local/etc/haproxy/errors/503.http
	errorfile 504 /usr/local/etc/haproxy/errors/504.http

frontend www
    mode http
    bind :80
    bind :443 ssl crt /usr/local/etc/haproxy/certs

    acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion

    http-request redirect scheme https unless { ssl_fc } || host_mastodon_tor
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

    acl host_mastodon hdr(host) -i m.comfycamp.space
    acl path_streaming_api path_beg /api/v1/streaming
    use_backend mastodon_streaming if host_mastodon path_streaming_api
    use_backend mastodon_streaming if host_mastodon_tor path_streaming_api
    use_backend mastodon if host_mastodon || host_mastodon_tor

    acl host_matrix hdr(host) -i matrix.comfycamp.space matrix.comfycamp.space:443
    acl path_matrix path_beg /_matrix
    acl path_matrix path_beg /_synapse/client
    use_backend matrix if host_matrix path_matrix

    acl host_s3 hdr(host) -i s3.comfycamp.space
    use_backend minio if host_s3

    acl host_comfycamp hdr(host) -i comfycamp.space
    use_backend comfycamp if host_comfycamp

    acl host_vaultwarden hdr(host) -i vault.comfycamp.space
    use_backend vaultwarden if host_vaultwarden

    acl host_minio hdr(host) -i minio.comfycamp.space
    use_backend minio_console if host_minio

    acl host_git hdr(host) -i git.comfycamp.space
    use_backend forgejo if host_git

frontend matrix-federation
    bind *:8448 ssl crt /usr/local/etc/haproxy/certs
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

    default_backend matrix

backend comfycamp
    mode http
    server green comfycamp:4000 check

backend mastodon
    mode http
    option forwardfor
    http-response set-header Referrer-Policy same-origin
    http-response set-header Onion-Location http://mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion%[capture.req.uri]
    server green mastodon-web:3000 check

backend mastodon_streaming
    mode http
    option forwardfor
    option http-server-close
    timeout tunnel 1h
    server green mastodon-streaming:4000 check

backend vaultwarden
    mode http
    option forwardfor
    server green vaultwarden:80 check

backend minio_console
    mode http
    option forwardfor
    server green minio:9001 check

backend minio
    mode http
    http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space
    option forwardfor
    server green minio:9000 check

backend forgejo
    mode http
    option forwardfor
    server green forgejo:3000 check

backend matrix
    mode http
    option forwardfor
    server matrix synapse:8008