global
  log 127.0.0.1:514 local0 warning
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin
  stats timeout 30s
  user haproxy
  group haproxy
  daemon
  ca-base /etc/haproxy/certs
  crt-base /etc/haproxy/private
  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  maxconn 256
  pidfile /run/haproxy.pid
  log-send-hostname {{inventory_hostname}}

defaults
  log global
  mode http
  option httplog
  option dontlognull
  timeout connect 5000
  timeout client 120000
  timeout server 120000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http
  option forwardfor
  option http-server-close
  retries 3
  maxconn 1000
  default_backend {{proxy_default_backend}}

listen stats
  bind 127.0.0.1:7000
  mode http
  stats enable
  stats admin if TRUE
  stats uri /haproxy_stats
  stats realm TineonLoadBalancerStats

frontend http-in
  bind *:80
  acl blockedip src  -i -f /etc/haproxy/blacklist
  http-request deny if blockedip
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
  redirect prefix http://{{redirect.to}} if { hdr_dom(host) -i {{redirect.from}} }
{% endfor %}
{% endfor %}
{% for host in groups['all'] %}
  acl domain_in_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.list
  use_backend backend_{{host}} if domain_in_{{host}}
{% if hostvars[host].proxy_crm_domains is defined %}
  acl crm_domain_in_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.crm.list
  use_backend backend_{{host}} if crm_domain_in_{{host}}
{% endif %}
  acl redirect_ssl_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.ssl.list
  use_backend backend_redirect_ssl if redirect_ssl_{{host}}
{% endfor %}

{% for cert in proxy_certificates %}
frontend https-in
  bind :443 ssl crt /etc/haproxy/certs/{{ cert }} no-sslv3
  acl blockedip src  -i -f /etc/haproxy/blacklist
  http-request deny if blockedip
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
  redirect prefix https://{{redirect.to}} if { hdr_dom(host) -i {{redirect.from}} }
{% endfor %}
{% endfor %}
{% for host in groups['all'] %}
  acl ssl_domain_in_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.ssl.list
  use_backend backend_{{host}} if ssl_domain_in_{{host}}
  acl redirect_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.list
  use_backend backend_redirect if redirect_{{host}}
{% if hostvars[host].proxy_crm_domains is defined %}
  acl crm_redirect_{{host}} hdr_dom(host) -i -f /etc/haproxy/{{host}}.list
  use_backend backend_redirect if crm_redirect_{{host}}
{% endif %}
{% endfor %}
{% endfor %}

{% for host in groups['all'] %}
backend backend_{{host}}
  server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 32

{% endfor %}

backend backend_redirect_ssl
  redirect scheme https if TRUE

backend backend_redirect
  redirect scheme http if TRUE