<?xml version="1.0"?>
<interfaceDefinition>
  <node name="load-balancing">
    <children>
      <node name="reverse-proxy" owner="${vyos_conf_scripts_dir}/load-balancing_reverse-proxy.py">
        <properties>
          <help>Configure reverse-proxy</help>
          <priority>900</priority>
        </properties>
        <children>
          <tagNode name="service">
            <properties>
              <help>Frontend service name</help>
              <constraint>
                #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
              </constraint>
              <constraintErrorMessage>Server name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
            </properties>
            <children>
              <leafNode name="backend">
                <properties>
                  <help>Backend member</help>
                  <constraint>
                    #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
                  </constraint>
                  <constraintErrorMessage>Backend name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
                  <valueHelp>
                    <format>txt</format>
                    <description>Name of reverse-proxy backend system</description>
                  </valueHelp>
                  <completionHelp>
                    <path>load-balancing reverse-proxy backend</path>
                  </completionHelp>
                  <multi/>
                </properties>
              </leafNode>
              #include <include/generic-description.xml.i>
              #include <include/listen-address.xml.i>
              #include <include/haproxy/logging.xml.i>
              #include <include/haproxy/mode.xml.i>
              #include <include/port-number.xml.i>
              #include <include/haproxy/rule-frontend.xml.i>
              #include <include/haproxy/tcp-request.xml.i>
              #include <include/haproxy/http-response-headers.xml.i>
              <leafNode name="redirect-http-to-https">
                <properties>
                  <help>Redirect HTTP to HTTPS</help>
                  <valueless/>
                </properties>
              </leafNode>
              <node name="ssl">
                <properties>
                  <help>SSL Certificate, SSL Key and CA</help>
                </properties>
                <children>
                  #include <include/pki/certificate-multi.xml.i>
                </children>
              </node>
            </children>
          </tagNode>
          <tagNode name="backend">
            <properties>
              <help>Backend server name</help>
              <constraint>
                #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
              </constraint>
              <constraintErrorMessage>Backend name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
            </properties>
            <children>
              <leafNode name="balance">
                <properties>
                  <help>Load-balancing algorithm</help>
                  <completionHelp>
                    <list>source-address round-robin least-connection</list>
                  </completionHelp>
                  <valueHelp>
                    <format>source-address</format>
                    <description>Based on hash of source IP address</description>
                  </valueHelp>
                  <valueHelp>
                    <format>round-robin</format>
                    <description>Round robin</description>
                  </valueHelp>
                  <valueHelp>
                    <format>least-connection</format>
                    <description>Least connection</description>
                  </valueHelp>
                  <constraint>
                    <regex>(source-address|round-robin|least-connection)</regex>
                  </constraint>
                </properties>
                <defaultValue>round-robin</defaultValue>
              </leafNode>
              #include <include/generic-description.xml.i>
              #include <include/haproxy/logging.xml.i>
              #include <include/haproxy/mode.xml.i>
              #include <include/haproxy/http-response-headers.xml.i>
              <node name="http-check">
                <properties>
                  <help>HTTP check configuration</help>
                </properties>
                <children>
                  <leafNode name="method">
                    <properties>
                      <help>HTTP method used for health check</help>
                      <completionHelp>
                        <list>options head get post put</list>
                      </completionHelp>
                      <valueHelp>
                        <format>options|head|get|post|put</format>
                        <description>HTTP method used for health checking</description>
                      </valueHelp>
                      <constraint>
                        <regex>(options|head|get|post|put)</regex>
                      </constraint>
                    </properties>
                  </leafNode>
                  <leafNode name="uri">
                    <properties>
                      <help>URI used for HTTP health check (Example: '/' or '/health')</help>
                      <constraint>
                        <regex>^\/([^?#\s]*)(\?[^#\s]*)?$</regex>
                      </constraint>
                    </properties>
                  </leafNode>
                  <node name="expect">
                    <properties>
                      <help>Expected response for the health check to pass</help>
                    </properties>
                    <children>
                      <leafNode name="status">
                        <properties>
                          <help>Expected response status code for the health check to pass</help>
                          <valueHelp>
                            <format>u32:200-399</format>
                            <description>Expected response code</description>
                          </valueHelp>
                          <constraint>
                            <validator name="numeric" argument="--range 200-399"/>
                          </constraint>
                          <constraintErrorMessage>Status code must be in range 200-399</constraintErrorMessage>
                        </properties>
                      </leafNode>
                      <leafNode name="string">
                        <properties>
                          <help>Expected to be in response body for the health check to pass</help>
                          <valueHelp>
                            <format>txt</format>
                            <description>A string expected to be in the response</description>
                          </valueHelp>
                        </properties>
                      </leafNode>
                    </children>
                  </node>
                </children>
              </node>
              <leafNode name="health-check">
                <properties>
                  <help>Non HTTP health check options</help>
                  <completionHelp>
                    <list>ldap mysql pgsql redis smtp</list>
                  </completionHelp>
                  <valueHelp>
                    <format>ldap</format>
                    <description>LDAP protocol check</description>
                  </valueHelp>
                  <valueHelp>
                    <format>mysql</format>
                    <description>MySQL protocol check</description>
                  </valueHelp>
                  <valueHelp>
                    <format>pgsql</format>
                    <description>PostgreSQL protocol check</description>
                  </valueHelp>
                  <valueHelp>
                    <format>redis</format>
                    <description>Redis protocol check</description>
                  </valueHelp>
                  <valueHelp>
                    <format>smtp</format>
                    <description>SMTP protocol check</description>
                  </valueHelp>
                  <constraint>
                    <regex>(ldap|mysql|redis|pgsql|smtp)</regex>
                  </constraint>
                </properties>
              </leafNode>
              #include <include/haproxy/rule-backend.xml.i>
              <tagNode name="server">
                <properties>
                  <help>Backend server name</help>
                </properties>
                <children>
                  <leafNode name="address">
                    <properties>
                      <help>Backend server address</help>
                      <valueHelp>
                        <format>ipv4</format>
                        <description>IPv4 unicast peer address</description>
                      </valueHelp>
                      <valueHelp>
                        <format>ipv6</format>
                        <description>IPv6 unicast peer address</description>
                      </valueHelp>
                      <constraint>
                        <validator name="ip-address"/>
                      </constraint>
                    </properties>
                  </leafNode>
                  <leafNode name="backup">
                    <properties>
                      <help>Use backup server if other servers are not available</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                  <leafNode name="check">
                    <properties>
                      <help>Active health check backend server</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                  #include <include/port-number.xml.i>
                  <leafNode name="send-proxy">
                    <properties>
                      <help>Send a Proxy Protocol version 1 header (text format)</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                  <leafNode name="send-proxy-v2">
                    <properties>
                      <help>Send a Proxy Protocol version 2 header (binary format)</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                </children>
              </tagNode>
              <node name="ssl">
                <properties>
                  <help>SSL Certificate, SSL Key and CA</help>
                </properties>
                <children>
                  #include <include/pki/ca-certificate.xml.i>
                  <leafNode name="no-verify">
                    <properties>
                      <help>Do not attempt to verify SSL certificates for backend servers</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                </children>
              </node>
              #include <include/haproxy/timeout.xml.i>
            </children>
          </tagNode>
          <node name="global-parameters">
            <properties>
              <help>Global perfomance parameters and limits</help>
            </properties>
            <children>
              #include <include/haproxy/logging.xml.i>
              <leafNode name="max-connections">
                <properties>
                  <help>Maximum allowed connections</help>
                  <valueHelp>
                    <format>u32:1-2000000</format>
                    <description>Maximum allowed connections</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-2000000"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="ssl-bind-ciphers">
                <properties>
                  <help>Cipher algorithms ("cipher suite") used during SSL/TLS handshake for all frontend servers</help>
                  <completionHelp>
                    <list>ecdhe-ecdsa-aes128-gcm-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-ecdsa-aes256-gcm-sha384 ecdhe-rsa-aes256-gcm-sha384 ecdhe-ecdsa-chacha20-poly1305 ecdhe-rsa-chacha20-poly1305 dhe-rsa-aes128-gcm-sha256 dhe-rsa-aes256-gcm-sha384</list>
                  </completionHelp>
                  <valueHelp>
                    <format>ecdhe-ecdsa-aes128-gcm-sha256</format>
                    <description>ecdhe-ecdsa-aes128-gcm-sha256</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ecdhe-rsa-aes128-gcm-sha256</format>
                    <description>ecdhe-rsa-aes128-gcm-sha256</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ecdhe-ecdsa-aes256-gcm-sha384</format>
                    <description>ecdhe-ecdsa-aes256-gcm-sha384</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ecdhe-rsa-aes256-gcm-sha384</format>
                    <description>ecdhe-rsa-aes256-gcm-sha384</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ecdhe-ecdsa-chacha20-poly1305</format>
                    <description>ecdhe-ecdsa-chacha20-poly1305</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ecdhe-rsa-chacha20-poly1305</format>
                    <description>ecdhe-rsa-chacha20-poly1305</description>
                  </valueHelp>
                  <valueHelp>
                    <format>dhe-rsa-aes128-gcm-sha256</format>
                    <description>dhe-rsa-aes128-gcm-sha256</description>
                  </valueHelp>
                  <valueHelp>
                    <format>dhe-rsa-aes256-gcm-sha384</format>
                    <description>dhe-rsa-aes256-gcm-sha384</description>
                  </valueHelp>
                  <constraint>
                    <regex>(ecdhe-ecdsa-aes128-gcm-sha256|ecdhe-rsa-aes128-gcm-sha256|ecdhe-ecdsa-aes256-gcm-sha384|ecdhe-rsa-aes256-gcm-sha384|ecdhe-ecdsa-chacha20-poly1305|ecdhe-rsa-chacha20-poly1305|dhe-rsa-aes128-gcm-sha256|dhe-rsa-aes256-gcm-sha384)</regex>
                  </constraint>
                  <multi/>
                </properties>
                <defaultValue>ecdhe-ecdsa-aes128-gcm-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-ecdsa-aes256-gcm-sha384 ecdhe-rsa-aes256-gcm-sha384 ecdhe-ecdsa-chacha20-poly1305 ecdhe-rsa-chacha20-poly1305 dhe-rsa-aes128-gcm-sha256 dhe-rsa-aes256-gcm-sha384</defaultValue>
              </leafNode>
              <leafNode name="tls-version-min">
                <properties>
                  <help>Specify the minimum required TLS version</help>
                  <completionHelp>
                    <list>1.2 1.3</list>
                  </completionHelp>
                  <valueHelp>
                    <format>1.2</format>
                    <description>TLS v1.2</description>
                  </valueHelp>
                  <valueHelp>
                    <format>1.3</format>
                    <description>TLS v1.3</description>
                  </valueHelp>
                  <constraint>
                    <regex>(1.2|1.3)</regex>
                  </constraint>
                </properties>
                <defaultValue>1.3</defaultValue>
              </leafNode>
            </children>
          </node>
          #include <include/interface/vrf.xml.i>
        </children>
      </node>
    </children>
  </node>
</interfaceDefinition>