haproxy.cfg

#
# Serve ACME certificate validation challenges and act as an
# SSL reverse-proxy for an arbitrary backend service.
#
global
    log stdout format raw local0 "${PROXY_LOGLEVEL}"

    lua-load /etc/haproxy/lua/haproxy-acme-validation-plugin-0.1.1/acme-http01-webroot.lua

    tune.ssl.default-dh-param 4096
    
	# TLS 1.2-
	ssl-default-bind-ciphers      ECDHE+CHACHA20:ECDHE+AES128:ECDHE+AES256:!MD5
	# TLS 1.3+
	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	# Require TLS 1.2 or higher
	ssl-default-bind-options      ssl-min-ver TLSv1.2 prefer-client-ciphers

defaults
    log global
    mode http
    log-format "%T %ft %ci:%cp %s %TR/%Tw/%Tc/%Tr/%Ta %{+Q}r %ST %ac/%fc/%bc/%sc/%rc %sq/%bq"
    timeout connect 30s
    timeout client 60s
    timeout server 60s
    timeout tunnel 720m
    # never fail on address resolution
    default-server init-addr none

resolvers kube_resolver
    parse-resolv-conf
    hold valid 10s

frontend stats
    bind *:8404
    http-request use-service prometheus-exporter if { path /metrics }
    stats enable
    stats uri /stats
    stats refresh 10s

frontend http
    bind *:8080

    # Serve certificate validation challenges directly with Lua plugin
    acl url_acme_http01 path_beg /.well-known/acme-challenge/
    http-request use-service lua.acme-http01 if METH_GET url_acme_http01

    # Static health endpoint for cluster manager healthcheck (don't log it)
    acl url_cluster_health path /health-check
    http-request set-log-level silent if url_cluster_health
    http-request return status 200 if url_cluster_health

    # Optional: redirects for root requests with certain host names to service paths
    acl is_root path -i /
    acl is_redirect_1 hdr(host) -i "${PROXY_HOST_REDIRECT_1_NAME}"
    acl is_redirect_2 hdr(host) -i "${PROXY_HOST_REDIRECT_2_NAME}"
    acl is_redirect_3 hdr(host) -i "${PROXY_HOST_REDIRECT_3_NAME}"
    acl is_redirect_4 hdr(host) -i "${PROXY_HOST_REDIRECT_4_NAME}"
    acl is_redirect_5 hdr(host) -i "${PROXY_HOST_REDIRECT_5_NAME}"
    acl is_redirect_6 hdr(host) -i "${PROXY_HOST_REDIRECT_6_NAME}"
    acl is_redirect_7 hdr(host) -i "${PROXY_HOST_REDIRECT_7_NAME}"
    acl is_redirect_8 hdr(host) -i "${PROXY_HOST_REDIRECT_8_NAME}"
    acl is_redirect_9 hdr(host) -i "${PROXY_HOST_REDIRECT_9_NAME}"
    acl is_redirect_10 hdr(host) -i "${PROXY_HOST_REDIRECT_10_NAME}"
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_1_TARGET}" if is_root is_redirect_1
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_2_TARGET}" if is_root is_redirect_2
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_3_TARGET}" if is_root is_redirect_3
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_4_TARGET}" if is_root is_redirect_4
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_5_TARGET}" if is_root is_redirect_5
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_6_TARGET}" if is_root is_redirect_6
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_7_TARGET}" if is_root is_redirect_7
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_8_TARGET}" if is_root is_redirect_8
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_9_TARGET}" if is_root is_redirect_9
    redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_10_TARGET}" if is_root is_redirect_10

    # Redirect all http requests to https
    redirect scheme https if !url_acme_http01 !url_cluster_health

frontend https
    bind *:8443 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets

    # Enable X-Forwarded header(s)
    option forwardfor
    http-request add-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    http-request add-header X-Forwarded-Port 443
    http-request add-header Strict-Transport-Security max-age=15768000

    acl auth url_beg /auth
    use_backend keycloak_backend if auth
    use_backend manager_backend

listen mqtt
    bind *:8883 ssl crt "/etc/haproxy/mqtt-certs" crt "${CERT_DIR}" verify required ca-file "/etc/haproxy/mqtt-certs/tls.crt" no-tls-tickets
    mode tcp
    #Use this to avoid the connection loss when client subscribed for a topic and its idle for sometime
    option clitcpka # For TCP keep-alive
    timeout client 3h #By default TCP keep-alive interval is 2hours in OS kernal, 'cat /proc/sys/net/ipv4/tcp_keepalive_time'
    timeout server 3h #By default TCP keep-alive interval is 2hours in OS kernal
    option logasap
    log-format "%T %ft CLIENT=%ci:%cp BACKEND=%bi:%bp %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
    balance leastconn

    server manager "${MANAGER_HOST}":"${MANAGER_MQTT_PORT}" resolvers kube_resolver check inter 1000

backend manager_backend
  server manager "${MANAGER_HOST}":"${MANAGER_WEB_PORT}" resolvers kube_resolver check inter 1000

backend keycloak_backend
  server keycloak "${KEYCLOAK_HOST}":"${KEYCLOAK_PORT}" resolvers kube_resolver check inter 1000