global
   # all file names are relative to the directory containing this config
   # file by default
   default-path config

   # refuse to start if any warning is emitted at boot (keep configs clean)
   zero-warning

   # Security hardening: isolate and drop privileges
   chroot /var/empty
   user haproxy
   group haproxy

   # daemonize
   daemon
   pidfile /var/run/haproxy-svc1.pid

   # do not keep old processes longer than that after a reload
   hard-stop-after 5m

   # The command-line-interface (CLI) used by the admin, by provisionning
   # tools, and to transfer sockets during reloads
   stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners
   stats timeout 1h

   # send logs to stderr for logging via the service manager
   log stderr local0 info

   # intermediate security for SSL, from https://ssl-config.mozilla.org/
   ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
   ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
   ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

# default settings common to all HTTP proxies below
defaults http
  mode http
  option httplog
  log global
  timeout client 1m
  timeout server 1m
  timeout connect 10s
  timeout http-keep-alive 2m
  timeout queue 15s
  timeout tunnel 4h  # for websocket

defaults tcp
  mode tcp
  option tcplog
  timeout client 1h
  timeout server 1h
  timeout connect 10s
  log global

# provide a stats page on port 8181
frontend stats from http
  bind localhost:8181
  # provide advanced stats (ssl, h2, ...)
  stats uri /
  stats show-modules
  stats admin if { src 127.0.0.0/8 }

frontend http from http
  bind :80
  option socket-stats  # provide per-bind line stats

  acl is_certbot path_beg -i /.well-known/acme-challenge
  http-request redirect scheme https code 301 if !is_certbot

  # silently ignore connect probes and pre-connect without request
  option http-ignore-probes

  # pass client's IP address to the server and prevent against attempts
  # to inject bad contents
  http-request del-header x-forwarded-for
  option forwardfor

  default_backend certbot

{% if certificates is defined and certificates|length > 0 %}
frontend https from http
  bind :443 name secure ssl {%- for cert in certificates %} crt /usr/local/etc/haproxy/certs/{{ cert }}.pem {%- endfor %} alpn h2,http/1.1

  # set HSTS for one year after all responses
  http-after-response set-header Strict-Transport-Security "max-age=31536000"
  http-request redirect scheme https code 301 if !{ ssl_fc }

  option http-ignore-probes

  # pass client's IP address to the server and prevent against attempts
  # to inject bad contents
  http-request del-header x-forwarded-for
  option forwardfor

  # enable HTTP compression of text contents
  compression algo deflate gzip
  compression type text/ application/javascript application/xhtml+xml image/x-icon

  use_backend %[req.hdr(Host),lower]
  default_backend datagubbe
{% endif %}

{% for jailname, jail in jails.items() %}
   {{- jail.haproxy_conf | default('') }}
{% endfor %}

backend certbot from http
  server srv localhost:7878