global
    log /dev/log    local5
    log /dev/log    local5 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user  haproxy
    group haproxy
    daemon
    maxconn 10000

    # intermediate configuration https://ssl-config.mozilla.org/
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-dh-param-file /etc/ssl/dhparam-haproxy

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 1m
    timeout client  200s
    timeout server  200s

    maxconn 9800

    option  abortonclose

    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

listen stats
    bind *:8088 ssl crt /etc/ssl/haproxy

    stats enable
    stats uri /
    stats show-legends
    stats show-node

    acl stats_access_ips src -f /etc/haproxy/stats_access_ips
    http-request deny if !stats_access_ips

    acl stats_admin_ips src -f /etc/haproxy/stats_admin_ips
    stats admin if stats_admin_ips

frontend https
    bind *:80
    bind *:443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1

    option  forwardfor
    # capture du domaine demandé pour les logs
    capture request header Host len 32

    http-request set-header X-Forwarded-Proto http  if !{ ssl_fc }
    http-request set-header X-Forwarded-Proto https if  { ssl_fc }

    # acl letsencrypt path_dir -i /.well-known/acme-challenge
    # use_backend letsencrypt if letsencrypt

    # Mode maintenance (### -> à décommenter)
    acl maintenance_ips src -f /etc/haproxy/maintenance_ips
    ### use_backend maintenance unless maintenance_ips

    default_backend web

backend web
    balance roundrobin
    #option httpchk HEAD /health-check
    server local81 127.0.0.1:81 check observe layer7
    server local82 127.0.0.1:82 check observe layer7

backend letsencrypt
    server adm 192.168.3.2

backend maintenance
    http-request set-log-level silent
    errorfile 503 /etc/haproxy/errors/503.http