global
  maxconn 2048
  maxconnrate 40
  uid 65534
  gid 65533
  node "$HOSTNAME"
  stats socket /haproxy/haproxy.sock mode 660 level admin

defaults
  mode http
  retries 1
  option forwardfor
  option http-keep-alive
  option tcp-smart-connect
  option tcpka
  option http-buffer-request
  balance roundrobin
  compression algo gzip
  timeout http-request 10s
  timeout connect 10s
  timeout client 60s
  timeout server 240s
  timeout http-keep-alive 240s
  default-server resolvers dockerdns init-addr libc,none resolve-opts prevent-dup-ip check

resolvers dockerdns
  nameserver docker 127.0.0.11:53
  resolve_retries 2
  timeout retry 300ms
  hold other           100ms
  hold refused         100ms
  hold nx              100ms
  hold timeout         3s
  hold valid           5s

frontend https
  mode http
  bind ipv6@:80 defer-accept accept-proxy
  bind ipv4@:80 defer-accept accept-proxy

  acl root url /

  acl grafana hdr_beg(host) -i stats.redxen.eu
  acl git hdr_beg(host) -i git.redxen.eu
  acl transmission hdr_beg(host) -i seed.redxen.eu
  acl seedown hdr_beg(host) -i sd.redxen.eu
  acl fediver hdr_beg(host) -i social.redxen.eu
  acl homepage hdr_beg(host) -i redxen.eu

  redirect location /index.html code 301 if homepage root
  redirect location /web/ code 301 if transmission root

  http-response replace-header Set-Cookie (.*) \1;\ Secure
  http-response add-header X-Forwarded-Proto https

  http-response set-header Cache-Control public\ max-age=31536000 if homepage

  http-response set-header X-XSS-Protection 1;\ mode=block
  http-response set-header X-Content-Type-Options nosniff
  http-response set-header Referrer-Policy no-referrer-when-downgrade
  http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload

  use_backend grafana if grafana
  use_backend git if git
  use_backend transmission if transmission
  use_backend homepage if homepage
  use_backend seedown if seedown
  use_backend fedi if fediver

backend homepage
  server-template redxen-space 3 rxhome.s3-website.eu-central-1.amazonaws.com:80 no-check
  http-request set-header Host rxhome.s3-website.eu-central-1.amazonaws.com
  http-request set-header Connection \"\"

backend grafana
  server-template grafana-docker 5 tasks.tig_grafana:3000
  option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests

backend fedi
  server pleroma-docker tasks.pleroma_server:4000
  option httpchk HEAD / HTTP/1.1\r\nHost:\ social.redxen.eu

backend git
  server git-docker tasks.git_gitea:3000
  option httpchk HEAD / HTTP/1.1\r\nHost:\ git.redxen.eu
  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ https:\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests

backend transmission
  server transmission-docker tasks.seedbox_transmission:9091
  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests

backend seedown
  server httpd-seedown tasks.seedbox_httpd:80