frontend www-http
  bind *:80

  # Required variables from the request
  http-request set-var(req.path) path

  # # http-sites-map ACLs
  # acl http-sites-acl req.hdr(host),lower,map_beg(/etc/haproxy/sites/http-sites.map) -m found

  # https-sites-map ACLs
  acl https-sites-acl req.hdr(host),lower,map_beg(/etc/haproxy/sites/https-sites.map) -m found

  # # Required ACLs
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/

  # Normal requests should get secured
  redirect scheme https code 301 if !letsencrypt-acl https-sites-acl
  #redirect scheme https code 301 if https-sites-acl

  # # Redirect ACME requests to certbot
  use_backend site-http:default if letsencrypt-acl

  # Redirect HTTP requests to http site
  use_backend %[req.hdr(host),lower,map(/etc/haproxy/sites/http-sites.map,site-http:default)]

  default_backend site-http:default

frontend www-https
  # BEFORE BIND HOOK
  bind :443 ssl strict-sni crt-list /etc/haproxy/ssl/crt-list.txt

  # AFTER BIND HOOK

  # Standard headers to inform app about inverse proxy status
  http-request set-header X-SSL                   %[ssl_fc]
  http-request set-header X-SSL-Session_ID        %[ssl_fc_session_id,hex]
  http-request set-header X-SSL-Client-Verify     %[ssl_c_verify]
  http-request set-header X-SSL-Client-DN         %{+Q}[ssl_c_s_dn]
  http-request set-header X-SSL-Client-CN         %{+Q}[ssl_c_s_dn(cn)]
  http-request set-header X-SSL-Issuer            %{+Q}[ssl_c_i_dn]
  http-request set-header X-SSL-Client-NotBefore  %{+Q}[ssl_c_notbefore]
  http-request set-header X-SSL-Client-NotAfter   %{+Q}[ssl_c_notafter]
  http-request set-header X-Forwarded-Proto       https if { ssl_fc }
  http-request set-header X-Forwarded-Host        %[req.hdr(host)]
  http-request set-header X-Forwarded-Port        %[dst_port]
  http-request set-header X-Forwarded-For         %[src]
  http-request set-header X-Real-IP               %[src]


  # AFTER WWW HOOK

  use_backend %[req.hdr(host),lower,map(/etc/haproxy/sites/https-sites.map,site-http:default)]