global
  log 127.0.0.1:20514 local1
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin
  stats timeout 30s
  user haproxy
  group haproxy
  daemon
  ca-base /etc/haproxy/certs
  crt-base /etc/haproxy/private
  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  pidfile /run/haproxy.pid

defaults
  log global
  log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
  mode http
  option dontlognull
  timeout connect 5s
  timeout client 20s
  timeout server 15s
  timeout check 1s
  timeout http-keep-alive 1s
  timeout http-request 10s  # slowloris protection
  default-server inter 3s fall 2 rise 2 slowstart 60s
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http
  option forwardfor
  option http-server-close
  retries 3
  default_backend {{proxy_default_backend}}

listen stats
  bind 127.0.0.1:7000
  mode http
  stats enable
  stats admin if TRUE
  stats uri /haproxy_stats
  stats realm LoadBalancerStats
{% if kibana_users is defined %}

userlist kibana
{% for user in kibana_users %}
  user {{ user.username }} insecure-password '{{ user.password }}'
{% endfor %}
{% endif %}

frontend http_in
  bind *:80
  acl blockedip src  -i -f /etc/haproxy/blacklist
  http-request deny if blockedip
{% if kibana_users is defined %}
  acl kibana_present hdr_dom(host) -i '{{ kibana_domain|default(inventory_hostname) }}'
  use_backend backend_redirect_ssl if kibana_present
{% endif %}
{% if varnish_host|default(false) %}
  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
  use_backend backend_varnish if static_content
{% endif %}
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
  redirect prefix http://{{redirect.to}} if { hdr_dom(host) -i {{redirect.from}} }
{% endfor %}
{% endfor %}
{% for host in groups['all'] %}
  acl domain_in_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.list
  use_backend backend_{{host}} if domain_in_{{host}}
{% if hostvars[host].proxy_crm_domains is defined %}
  acl crm_domain_in_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.crm.list
  use_backend backend_{{host}} if crm_domain_in_{{host}}
{% endif %}
  acl redirect_ssl_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.ssl.list
  use_backend backend_redirect_ssl if redirect_ssl_{{host}}
{% endfor %}
{% for cert in proxy_certificates %}

frontend https_in_{{ cert.ip }}
  bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
  acl blockedip src  -i -f /etc/haproxy/blacklist
  http-request deny if blockedip
{% if kibana_users is defined %}
  acl kibana_present hdr_dom(host) -i '{{ kibana_domain|default(inventory_hostname) }}'
  use_backend backend_kibana if kibana_present
{% endif %}
{% if varnish_host|default(false) %}
  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
  use_backend backend_varnish if static_content
{% endif %}
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
  redirect prefix https://{{redirect.to}} if { hdr_dom(host) -i {{redirect.from}} }
{% endfor %}
{% endfor %}
{% for host in groups['all'] %}
  acl ssl_domain_in_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.ssl.list
  use_backend backend_{{host}} if ssl_domain_in_{{host}}
  acl redirect_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.list
  use_backend backend_redirect if redirect_{{host}}
{% if hostvars[host].proxy_crm_domains is defined %}
  acl crm_redirect_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.list
  use_backend backend_redirect if crm_redirect_{{host}}
{% endif %}
{% endfor %}
{% endfor %}
{% for host in groups['all'] %}

backend backend_{{host}}
{% if host == inventory_hostname %}
  http-response deny
{% else %}
  server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
{% endif %}
{% endfor %}
{% if varnish_host|default(false) %}

backend backend_varnish
  option httpchk HEAD /varnishcheck
  http-check expect status 200
  option forwardfor
  hash-type consistent
{% if varnish_host == inventory_hostname %}
  server varnish 127.0.0.1:6081 maxconn 1000
{% else %}
  server varnish {{ varnish_host_ip|default('') }}:6081 maxconn 1000
{% endif %}
{% endif %}

backend backend_redirect_ssl
  redirect scheme https if TRUE

backend backend_redirect
  redirect scheme http if TRUE
{% if kibana_users is defined %}

backend backend_kibana
  server kibana 127.0.0.1:5601 maxconn 32
  acl kibana_auth http_auth(kibana) if kibana_present
  http-request auth realm Kibana if !kibana_auth
{% endif %}