global
  tune.ssl.default-dh-param 2048
  maxconn 2048
  maxconnrate 40
  stats socket /haproxy/haproxy.sock mode 660 level admin

defaults
  mode http
  retries 3
  option forwardfor
  option http-keep-alive
  option tcp-smart-connect
  option tcpka
  option http-buffer-request
  compression offload
  timeout http-request 10s
  timeout connect 5s
  timeout client 20s
  timeout server 240s
  timeout http-keep-alive 300s
  rate-limit sessions 100
  default-server resolvers dockerdns

resolvers dockerdns
  nameserver docker 127.0.0.11:53
  resolve_retries 2
  timeout retry 300ms
  hold other           100ms
  hold refused         100ms
  hold nx              100ms
  hold timeout         3s
  hold valid           1s

frontend https
  mode http
  bind *:80

  acl is_cf req.hdr_ip(x-forwarded-for) -m found
  acl dav url_beg /.well-known/carddav /.well-known/caldav
  acl root url /
  acl discord-redirect url /discord

  acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
  acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/

  acl grafana hdr_beg(host) -i stats.redxen.eu
  acl nextcloud hdr_beg(host) -i cloud.redxen.eu
  acl git hdr_beg(host) -i git.redxen.eu
  acl transmission hdr_beg(host) -i seed.redxen.eu
  acl onlyoffice hdr_beg(host) -i office.redxen.eu
  acl seedown hdr_beg(host) -i sd.redxen.eu
  acl homepage hdr_beg(host) -i redxen.eu

  http-request set-header X-Client-IP %[req.hdr_ip(x-forwarded-for)] if is_cf
  redirect location /remote.php/dav code 301 if dav nextcloud
  redirect location /index.html code 301 if homepage root
  redirect location /web/ code 301 if transmission root
  redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage

  http-response replace-header Set-Cookie (.*) \1;\ Secure
  http-response add-header X-Forwarded-Proto https

  http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache
  http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache

  http-response set-header X-XSS-Protection 1;\ mode=block
  http-response set-header X-Content-Type-Options nosniff
  http-response set-header Referrer-Policy no-referrer-when-downgrade
  http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload

  use_backend nextcloud if nextcloud
  use_backend grafana if grafana
  use_backend git if git
  use_backend transmission if transmission
  use_backend onlyoffice if onlyoffice
  use_backend homepage if homepage
  use_backend seedown if seedown

backend homepage
  server redxen-space rxhome.s3-website.eu-central-1.amazonaws.com:80
  http-request set-header Host rxhome.s3-website.eu-central-1.amazonaws.com
  http-request set-header Connection \"\"

backend nextcloud
  server nextcloud-docker cloud_nextcloud:80
  option httpchk HEAD / HTTP/1.1\r\nHost:\ cloud.redxen.eu
  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ https://office.redxen.eu\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ https://office.redxen.eu\ https://youtube.com\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
  http-response set-header X-Robots-Tag none
  http-response set-header X-Download-Options noopen
  http-response set-header X-Permitted-Cross-Domain-Policies none

backend grafana
  server grafana-docker tig_grafana:3000 check
  option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests

backend git
  server git-docker git_gitea:3000 check
  option httpchk HEAD / HTTP/1.1\r\nHost:\ git.redxen.eu
  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ https:\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests

backend transmission
  server transmission-docker seedbox_transmission:9091 check
  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests

backend onlyoffice
  server onlyoffice-docker cloud_documentserver:80 check
  http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-eval\'\ \'unsafe-inline\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests

backend seedown
  server httpd-seedown seedbox_httpd:80 check