library/haproxy/1.8-alpine/config/60.frontend.cfg

frontend www-http
  bind *:80

  # Required variables from the request
  http-request set-var(req.path) path

  # # http-sites-map ACLs
  # acl http-sites-acl req.hdr(host),lower,map_beg(/etc/haproxy/sites/http-sites.map) -m found

  # https-sites-map ACLs
  acl https-sites-acl req.hdr(host),lower,map_beg(/etc/haproxy/sites/https-sites.map) -m found

  # # Required ACLs
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/

  # Normal requests should get secured
  redirect scheme https code 301 if !letsencrypt-acl https-sites-acl
  #redirect scheme https code 301 if https-sites-acl

  # # Redirect ACME requests to certbot
  use_backend site-http:default if letsencrypt-acl

  # Redirect HTTP requests to http site
  use_backend %[req.hdr(host),lower,map(/etc/haproxy/sites/http-sites.map,site-http:default)]

  default_backend site-http:default

frontend www-https
  # BEFORE BIND HOOK
  bind :443 ssl strict-sni crt-list /etc/haproxy/ssl/crt-list.txt

  # AFTER BIND HOOK

  # Standard headers to inform app about inverse proxy status
  http-request set-header X-SSL                   %[ssl_fc]
  http-request set-header X-SSL-Session_ID        %[ssl_fc_session_id,hex]
  http-request set-header X-SSL-Client-Verify     %[ssl_c_verify]
  http-request set-header X-SSL-Client-DN         %{+Q}[ssl_c_s_dn]
  http-request set-header X-SSL-Client-CN         %{+Q}[ssl_c_s_dn(cn)]
  http-request set-header X-SSL-Issuer            %{+Q}[ssl_c_i_dn]
  http-request set-header X-SSL-Client-NotBefore  %{+Q}[ssl_c_notbefore]
  http-request set-header X-SSL-Client-NotAfter   %{+Q}[ssl_c_notafter]
  http-request set-header X-Forwarded-Proto       https if { ssl_fc }
  http-request set-header X-Forwarded-Host        %[req.hdr(host)]
  http-request set-header X-Forwarded-Port        %[dst_port]
  http-request set-header X-Forwarded-For         %[src]
  http-request set-header X-Real-IP               %[src]


  # AFTER WWW HOOK

  use_backend %[req.hdr(host),lower,map(/etc/haproxy/sites/https-sites.map,site-http:default)]
ing 2018-10-27 03:58:37 +00:00			`frontend www-http`
			`bind *:80`

			`# Required variables from the request`
			`http-request set-var(req.path) path`

			`# # http-sites-map ACLs`
			`# acl http-sites-acl req.hdr(host),lower,map_beg(/etc/haproxy/sites/http-sites.map) -m found`

			`# https-sites-map ACLs`
			`acl https-sites-acl req.hdr(host),lower,map_beg(/etc/haproxy/sites/https-sites.map) -m found`

			`# # Required ACLs`
			`acl letsencrypt-acl path_beg /.well-known/acme-challenge/`

			`# Normal requests should get secured`
			`redirect scheme https code 301 if !letsencrypt-acl https-sites-acl`
			`#redirect scheme https code 301 if https-sites-acl`

			`# # Redirect ACME requests to certbot`
			`use_backend site-http:default if letsencrypt-acl`

			`# Redirect HTTP requests to http site`
			`use_backend %[req.hdr(host),lower,map(/etc/haproxy/sites/http-sites.map,site-http:default)]`

			`default_backend site-http:default`

			`frontend www-https`
			`# BEFORE BIND HOOK`
			`bind :443 ssl strict-sni crt-list /etc/haproxy/ssl/crt-list.txt`

			`# AFTER BIND HOOK`

			`# Standard headers to inform app about inverse proxy status`
			`http-request set-header X-SSL %[ssl_fc]`
			`http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]`
			`http-request set-header X-SSL-Client-Verify %[ssl_c_verify]`
			`http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]`
			`http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]`
			`http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]`
			`http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]`
			`http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]`
			`http-request set-header X-Forwarded-Proto https if { ssl_fc }`
			`http-request set-header X-Forwarded-Host %[req.hdr(host)]`
			`http-request set-header X-Forwarded-Port %[dst_port]`
			`http-request set-header X-Forwarded-For %[src]`
			`http-request set-header X-Real-IP %[src]`


			`# AFTER WWW HOOK`

			`use_backend %[req.hdr(host),lower,map(/etc/haproxy/sites/https-sites.map,site-http:default)]`