### Autogenerated by load-balancing_reverse-proxy.py ###

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

{% if global_parameters is vyos_defined %}
{%     if global_parameters.max_connections is vyos_defined %}
    maxconn {{ global_parameters.max_connections }}
{%     endif %}

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

{%     if global_parameters.ssl_bind_ciphers is vyos_defined %}
    # https://ssl-config.mozilla.org/#server=haproxy&version=2.6.12-1&config=intermediate&openssl=3.0.8-1&guideline=5.6
    ssl-default-bind-ciphers {{ global_parameters.ssl_bind_ciphers | join(':') | upper }}
{%     endif %}
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
{%     if global_parameters.tls_version_min is vyos_defined('1.3') %}
    ssl-default-bind-options force-tlsv13
{%     else %}
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
{%     endif %}
{% endif %}

defaults
    log     global
    mode    http
    option  dontlognull
    timeout connect 10s
    timeout client  50s
    timeout server  50s
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

# Frontend
{% if service is vyos_defined %}
{%     for front, front_config in service.items() %}
frontend {{ front }}
{%         set ssl_front = [] %}
{%         if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
{%             for cert in front_config.ssl.certificate %}
{%                 set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %}
{%             endfor %}
{%         endif %}
{%         set ssl_directive = 'ssl' if ssl_front else '' %}
{%         if front_config.listen_address is vyos_defined %}
{%             for address in front_config.listen_address %}
    bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }}
{%             endfor %}
{%         else %}
    bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
{%         endif %}
{%         if front_config.redirect_http_to_https is vyos_defined %}
    http-request redirect scheme https unless { ssl_fc }
{%         endif %}
{%         if front_config.mode is vyos_defined %}
    mode {{ front_config.mode }}
{%         endif %}
{%         if front_config.rule is vyos_defined %}
{%             for rule, rule_config in front_config.rule.items() %}
    # rule {{ rule }}
{%                 if rule_config.domain_name is vyos_defined and rule_config.set.backend is vyos_defined %}
{%                     set rule_options = 'hdr(host)' %}
{%                     if rule_config.ssl is vyos_defined %}
{%                         set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
{%                         set rule_options = ssl_rule_translate[rule_config.ssl] %}
{%                     endif %}
{%                     for domain in rule_config.domain_name %}
    acl {{ rule }} {{ rule_options }} -i {{ domain }}
{%                     endfor %}
    use_backend {{ rule_config.set.backend }} if {{ rule }}
{%                 endif %}
{# path url #}
{%                 if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
{%                     set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
{%                     for path, path_config in rule_config.url_path.items() %}
{%                         for url in path_config %}
    acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
{%                         endfor %}
{%                     endfor %}
    http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
{%                 endif %}
{# endpath #}
{%             endfor %}
{%         endif %}
{%         if front_config.backend is vyos_defined %}
{%             for backend in front_config.backend %}
    default_backend {{ backend }}
{%             endfor %}
{%         endif %}

{%     endfor %}
{% endif %}

# Backend
{% if backend is vyos_defined %}
{%     for back, back_config in backend.items() %}
backend {{ back }}
{%         if back_config.balance is vyos_defined %}
{%             set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %}
    balance {{ balance_translate[back_config.balance] }}
{%         endif %}
{# If mode is not TCP skip Forwarded #}
{%         if back_config.mode is not vyos_defined('tcp') %}
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
{%         endif %}
{%         if back_config.mode is vyos_defined %}
    mode {{ back_config.mode }}
{%         endif %}
{%         if back_config.rule is vyos_defined %}
{%             for rule, rule_config in back_config.rule.items() %}
{%                 if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %}
{%                     set rule_options = 'hdr(host)' %}
{%                     if rule_config.ssl is vyos_defined %}
{%                         set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
{%                         set rule_options = ssl_rule_translate[rule_config.ssl] %}
{%                     endif %}
{%                     for domain in rule_config.domain_name %}
    acl {{ rule }} {{ rule_options }} -i {{ domain }}
{%                     endfor %}
    use-server {{ rule_config.set.server }} if {{ rule }}
{%                 endif %}
{# path url #}
{%                 if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
{%                     set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
{%                     for path, path_config in rule_config.url_path.items() %}
{%                         for url in path_config %}
    acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
{%                         endfor %}
{%                     endfor %}
    http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
{%                 endif %}
{# endpath #}
{%             endfor %}
{%         endif %}
{%         if back_config.server is vyos_defined %}
{%             set ssl_back =  'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
{%             for server, server_config in back_config.server.items() %}
    server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
{%             endfor %}
{%         endif %}
{%         if back_config.timeout.check is vyos_defined %}
    timeout check {{ back_config.timeout.check }}s
{%         endif %}
{%         if back_config.timeout.connect is vyos_defined %}
    timeout connect {{ back_config.timeout.connect }}s
{%         endif %}
{%         if back_config.timeout.server is vyos_defined %}
    timeout server {{ back_config.timeout.server }}s
{%         endif %}

{%     endfor %}
{% endif %}