global maxconn 2048 maxconnrate 40 unix-bind prefix {{ haproxy.socketroot }} user {{ haproxy.user }} group {{ haproxy.group }} stats socket {{ haproxy.socketroot }}/haproxy-stats.sock mode 666 level admin defaults mode http retries 1 option forwardfor option http-keep-alive option tcp-smart-connect option tcpka option http-buffer-request balance roundrobin compression algo gzip timeout http-request 10s timeout connect 10s timeout client 60s timeout server 240s timeout http-keep-alive 240s default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check resolvers local nameserver unbound 127.0.0.1:53 resolve_retries 2 timeout retry 300ms hold other 100ms hold refused 100ms hold nx 100ms hold timeout 3s hold valid 5s {% for entry in haproxy.ports.tcp %} listen {{ entry.group }} mode tcp bind ipv4@*:{{ entry.expose }},ipv6@*:{{ entry.expose }} option tcp-check {% for host in groups[entry.group] %} server {{ entry.group }}-{{ loop.index0 }} {{ hostvars[host]['ansible_ens10']['ipv4']['address'] }}:{{ entry.proxy }} {% if loop.index0 != 0 %}backup{% endif %} {% endfor %} {% endfor %} frontend http mode http bind /haproxy.sock mode 660 acl root url / {% for domains in haproxy.public %} use_backend backend-{{ domains.service }} if { hdr_beg(host) -i {{ domains.domain }} } {% endfor %} http-response add-header X-Forwarded-Proto https http-response set-header X-XSS-Protection 1;\ mode=block http-response set-header X-Content-Type-Options nosniff http-response set-header Referrer-Policy no-referrer-when-downgrade http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload {% for domains in haproxy.public %} backend backend-{{ domains.service }} server-template {{ domains.service }} {{ domains.count }} _{{ domains.service }}._tcp.redxen.localhost {% if domains.httpchk %} option httpchk HEAD / HTTP/1.1\r\nHost:\ {{ domains.domain }}.redxen.eu {% endif %} {% endfor %}