# HAProxy Default Configuration Template
# This file is used as a base when generating haproxy.cfg

global
    log stdout format raw local0
    maxconn 4096
    stats socket /var/run/haproxy.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    tune.ssl.default-dh-param 2048

defaults
    mode http
    log global
    option httplog
    option dontlognull
    option forwardfor
    timeout connect 5s
    timeout client 30s
    timeout server 30s
    timeout http-request 10s
    timeout http-keep-alive 10s
    retries 3

# Stats frontend - enable monitoring
frontend stats
    bind *:8404
    mode http
    stats enable
    stats uri /stats
    stats refresh 10s
    stats auth admin:secubox
    stats admin if TRUE

# HTTP frontend - catch all port 80 traffic
frontend http-in
    bind *:80
    mode http

    # ACME challenge handling
    acl is_acme path_beg /.well-known/acme-challenge/
    use_backend acme if is_acme

    # Default: redirect to HTTPS
    http-request redirect scheme https code 301 unless is_acme
    default_backend default_luci

# HTTPS frontend - SSL termination with multi-certificate SNI support
frontend https-in
    bind *:443 ssl crt-list /opt/haproxy/certs/certs.list alpn h2,http/1.1
    mode http

    # Security headers
    http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
    http-response set-header X-Content-Type-Options nosniff
    http-response set-header X-Frame-Options SAMEORIGIN

    # Forward real IP
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Real-IP %[src]
    http-request set-header X-Forwarded-For %[src]

    # CyberMood.eu routing
    acl is_cybermood hdr(host) -i cybermood.eu www.cybermood.eu
    acl is_cybermood_presse hdr(host) -i presse.cybermood.eu
    use_backend cybermood_web if is_cybermood
    use_backend cybermood_presse if is_cybermood_presse

    default_backend default_luci

# ACME challenge backend
backend acme
    mode http
    server acme 127.0.0.1:8080 check

# Default LuCI backend - routes to uhttpd
backend default_luci
    mode http
    balance roundrobin
    server luci 192.168.255.1:8081 check

# CyberMood.eu backend
backend cybermood_web
    mode http
    balance roundrobin
    server cybermood 192.168.255.1:4000 check

# CyberMood Presse backend
backend cybermood_presse
    mode http
    balance roundrobin
    server cybermood-presse 192.168.255.1:4001 check