frontend stats mode http bind *:8404 stats enable stats uri /stats stats refresh 10s stats admin if LOCALHOST frontend frontend_default bind :80 name http bind :::80 name httpv6 v6only # Sadly we can't use strict-sni because of Let's Encrypt challenge on https bind :443 name https ssl crt /etc/haproxy/crt alpn h2,http/1.1 bind :::443 name httpsv6 v6only ssl crt /etc/haproxy/crt alpn h2,http/1.1 # silently ignore connect probes and pre-connect without request option http-ignore-probes # pass client's IP address to the server and prevent against attempts # to inject bad contents http-request del-header x-forwarded-for option forwardfor # enable HTTP compression of text contents compression algo deflate gzip compression type text/ application/javascript application/xhtml+xml image/x-icon # enable HTTP caching of any cacheable content http-request cache-use cache http-response cache-store cache # Redirect to HTTPS http-request redirect scheme https unless { ssl_fc } # ACLs # ACL for country blocks acl AD src -f /etc/haproxy/country/AD.txt acl AE src -f /etc/haproxy/country/AE.txt acl AF src -f /etc/haproxy/country/AF.txt acl AG src -f /etc/haproxy/country/AG.txt acl AI src -f /etc/haproxy/country/AI.txt acl AL src -f /etc/haproxy/country/AL.txt acl AM src -f /etc/haproxy/country/AM.txt acl AO src -f /etc/haproxy/country/AO.txt acl AQ src -f /etc/haproxy/country/AQ.txt acl AR src -f /etc/haproxy/country/AR.txt acl AS src -f /etc/haproxy/country/AS.txt acl AT src -f /etc/haproxy/country/AT.txt acl AU src -f /etc/haproxy/country/AU.txt acl AW src -f /etc/haproxy/country/AW.txt acl AX src -f /etc/haproxy/country/AX.txt acl AZ src -f /etc/haproxy/country/AZ.txt acl BA src -f /etc/haproxy/country/BA.txt acl BB src -f /etc/haproxy/country/BB.txt acl BD src -f /etc/haproxy/country/BD.txt acl BE src -f /etc/haproxy/country/BE.txt acl BF src -f /etc/haproxy/country/BF.txt acl BG src -f /etc/haproxy/country/BG.txt acl BH src -f /etc/haproxy/country/BH.txt acl BI src -f /etc/haproxy/country/BI.txt acl BJ src -f /etc/haproxy/country/BJ.txt acl BL src -f /etc/haproxy/country/BL.txt acl BM src -f /etc/haproxy/country/BM.txt acl BN src -f /etc/haproxy/country/BN.txt acl BO src -f /etc/haproxy/country/BO.txt acl BQ src -f /etc/haproxy/country/BQ.txt acl BR src -f /etc/haproxy/country/BR.txt acl BS src -f /etc/haproxy/country/BS.txt acl BT src -f /etc/haproxy/country/BT.txt acl BV src -f /etc/haproxy/country/BV.txt acl BW src -f /etc/haproxy/country/BW.txt acl BY src -f /etc/haproxy/country/BY.txt acl BZ src -f /etc/haproxy/country/BZ.txt acl CA src -f /etc/haproxy/country/CA.txt acl CC src -f /etc/haproxy/country/CC.txt acl CD src -f /etc/haproxy/country/CD.txt acl CF src -f /etc/haproxy/country/CF.txt acl CG src -f /etc/haproxy/country/CG.txt acl CH src -f /etc/haproxy/country/CH.txt acl CI src -f /etc/haproxy/country/CI.txt acl CK src -f /etc/haproxy/country/CK.txt acl CL src -f /etc/haproxy/country/CL.txt acl CM src -f /etc/haproxy/country/CM.txt acl CN src -f /etc/haproxy/country/CN.txt acl CO src -f /etc/haproxy/country/CO.txt acl CR src -f /etc/haproxy/country/CR.txt acl CU src -f /etc/haproxy/country/CU.txt acl CV src -f /etc/haproxy/country/CV.txt acl CW src -f /etc/haproxy/country/CW.txt acl CX src -f /etc/haproxy/country/CX.txt acl CY src -f /etc/haproxy/country/CY.txt acl CZ src -f /etc/haproxy/country/CZ.txt acl DE src -f /etc/haproxy/country/DE.txt acl DJ src -f /etc/haproxy/country/DJ.txt acl DK src -f /etc/haproxy/country/DK.txt acl DM src -f /etc/haproxy/country/DM.txt acl DO src -f /etc/haproxy/country/DO.txt acl DZ src -f /etc/haproxy/country/DZ.txt acl EC src -f /etc/haproxy/country/EC.txt acl EE src -f /etc/haproxy/country/EE.txt acl EG src -f /etc/haproxy/country/EG.txt acl EH src -f /etc/haproxy/country/EH.txt acl ER src -f /etc/haproxy/country/ER.txt acl ES src -f /etc/haproxy/country/ES.txt acl ET src -f /etc/haproxy/country/ET.txt acl FI src -f /etc/haproxy/country/FI.txt acl FJ src -f /etc/haproxy/country/FJ.txt acl FK src -f /etc/haproxy/country/FK.txt acl FM src -f /etc/haproxy/country/FM.txt acl FO src -f /etc/haproxy/country/FO.txt acl FR src -f /etc/haproxy/country/FR.txt acl GA src -f /etc/haproxy/country/GA.txt acl GB src -f /etc/haproxy/country/GB.txt acl GD src -f /etc/haproxy/country/GD.txt acl GE src -f /etc/haproxy/country/GE.txt acl GF src -f /etc/haproxy/country/GF.txt acl GG src -f /etc/haproxy/country/GG.txt acl GH src -f /etc/haproxy/country/GH.txt acl GI src -f /etc/haproxy/country/GI.txt acl GL src -f /etc/haproxy/country/GL.txt acl GM src -f /etc/haproxy/country/GM.txt acl GN src -f /etc/haproxy/country/GN.txt acl GP src -f /etc/haproxy/country/GP.txt acl GQ src -f /etc/haproxy/country/GQ.txt acl GR src -f /etc/haproxy/country/GR.txt acl GS src -f /etc/haproxy/country/GS.txt acl GT src -f /etc/haproxy/country/GT.txt acl GU src -f /etc/haproxy/country/GU.txt acl GW src -f /etc/haproxy/country/GW.txt acl GY src -f /etc/haproxy/country/GY.txt acl HK src -f /etc/haproxy/country/HK.txt acl HM src -f /etc/haproxy/country/HM.txt acl HN src -f /etc/haproxy/country/HN.txt acl HR src -f /etc/haproxy/country/HR.txt acl HT src -f /etc/haproxy/country/HT.txt acl HU src -f /etc/haproxy/country/HU.txt acl ID src -f /etc/haproxy/country/ID.txt acl IE src -f /etc/haproxy/country/IE.txt acl IL src -f /etc/haproxy/country/IL.txt acl IM src -f /etc/haproxy/country/IM.txt acl IN src -f /etc/haproxy/country/IN.txt acl IO src -f /etc/haproxy/country/IO.txt acl IQ src -f /etc/haproxy/country/IQ.txt acl IR src -f /etc/haproxy/country/IR.txt acl IS src -f /etc/haproxy/country/IS.txt acl IT src -f /etc/haproxy/country/IT.txt acl JE src -f /etc/haproxy/country/JE.txt acl JM src -f /etc/haproxy/country/JM.txt acl JO src -f /etc/haproxy/country/JO.txt acl JP src -f /etc/haproxy/country/JP.txt acl KE src -f /etc/haproxy/country/KE.txt acl KG src -f /etc/haproxy/country/KG.txt acl KH src -f /etc/haproxy/country/KH.txt acl KI src -f /etc/haproxy/country/KI.txt acl KM src -f /etc/haproxy/country/KM.txt acl KN src -f /etc/haproxy/country/KN.txt acl KP src -f /etc/haproxy/country/KP.txt acl KR src -f /etc/haproxy/country/KR.txt acl KW src -f /etc/haproxy/country/KW.txt acl KY src -f /etc/haproxy/country/KY.txt acl KZ src -f /etc/haproxy/country/KZ.txt acl LA src -f /etc/haproxy/country/LA.txt acl LB src -f /etc/haproxy/country/LB.txt acl LC src -f /etc/haproxy/country/LC.txt acl LI src -f /etc/haproxy/country/LI.txt acl LK src -f /etc/haproxy/country/LK.txt acl LR src -f /etc/haproxy/country/LR.txt acl LS src -f /etc/haproxy/country/LS.txt acl LT src -f /etc/haproxy/country/LT.txt acl LU src -f /etc/haproxy/country/LU.txt acl LV src -f /etc/haproxy/country/LV.txt acl LY src -f /etc/haproxy/country/LY.txt acl MA src -f /etc/haproxy/country/MA.txt acl MC src -f /etc/haproxy/country/MC.txt acl MD src -f /etc/haproxy/country/MD.txt acl ME src -f /etc/haproxy/country/ME.txt acl MF src -f /etc/haproxy/country/MF.txt acl MG src -f /etc/haproxy/country/MG.txt acl MH src -f /etc/haproxy/country/MH.txt acl MK src -f /etc/haproxy/country/MK.txt acl ML src -f /etc/haproxy/country/ML.txt acl MM src -f /etc/haproxy/country/MM.txt acl MN src -f /etc/haproxy/country/MN.txt acl MO src -f /etc/haproxy/country/MO.txt acl MP src -f /etc/haproxy/country/MP.txt acl MQ src -f /etc/haproxy/country/MQ.txt acl MR src -f /etc/haproxy/country/MR.txt acl MS src -f /etc/haproxy/country/MS.txt acl MT src -f /etc/haproxy/country/MT.txt acl MU src -f /etc/haproxy/country/MU.txt acl MV src -f /etc/haproxy/country/MV.txt acl MW src -f /etc/haproxy/country/MW.txt acl MX src -f /etc/haproxy/country/MX.txt acl MY src -f /etc/haproxy/country/MY.txt acl MZ src -f /etc/haproxy/country/MZ.txt acl NA src -f /etc/haproxy/country/NA.txt acl NC src -f /etc/haproxy/country/NC.txt acl NE src -f /etc/haproxy/country/NE.txt acl NF src -f /etc/haproxy/country/NF.txt acl NG src -f /etc/haproxy/country/NG.txt acl NI src -f /etc/haproxy/country/NI.txt acl NL src -f /etc/haproxy/country/NL.txt acl NO src -f /etc/haproxy/country/NO.txt acl NP src -f /etc/haproxy/country/NP.txt acl NR src -f /etc/haproxy/country/NR.txt acl NU src -f /etc/haproxy/country/NU.txt acl NZ src -f /etc/haproxy/country/NZ.txt acl OM src -f /etc/haproxy/country/OM.txt acl PA src -f /etc/haproxy/country/PA.txt acl PE src -f /etc/haproxy/country/PE.txt acl PF src -f /etc/haproxy/country/PF.txt acl PG src -f /etc/haproxy/country/PG.txt acl PH src -f /etc/haproxy/country/PH.txt acl PK src -f /etc/haproxy/country/PK.txt acl PL src -f /etc/haproxy/country/PL.txt acl PM src -f /etc/haproxy/country/PM.txt acl PN src -f /etc/haproxy/country/PN.txt acl PR src -f /etc/haproxy/country/PR.txt acl PS src -f /etc/haproxy/country/PS.txt acl PT src -f /etc/haproxy/country/PT.txt acl PW src -f /etc/haproxy/country/PW.txt acl PY src -f /etc/haproxy/country/PY.txt acl QA src -f /etc/haproxy/country/QA.txt acl RE src -f /etc/haproxy/country/RE.txt acl RO src -f /etc/haproxy/country/RO.txt acl RS src -f /etc/haproxy/country/RS.txt acl RU src -f /etc/haproxy/country/RU.txt acl RW src -f /etc/haproxy/country/RW.txt acl SA src -f /etc/haproxy/country/SA.txt acl SB src -f /etc/haproxy/country/SB.txt acl SC src -f /etc/haproxy/country/SC.txt acl SD src -f /etc/haproxy/country/SD.txt acl SE src -f /etc/haproxy/country/SE.txt acl SG src -f /etc/haproxy/country/SG.txt acl SH src -f /etc/haproxy/country/SH.txt acl SI src -f /etc/haproxy/country/SI.txt acl SJ src -f /etc/haproxy/country/SJ.txt acl SK src -f /etc/haproxy/country/SK.txt acl SL src -f /etc/haproxy/country/SL.txt acl SM src -f /etc/haproxy/country/SM.txt acl SN src -f /etc/haproxy/country/SN.txt acl SO src -f /etc/haproxy/country/SO.txt acl SR src -f /etc/haproxy/country/SR.txt acl SS src -f /etc/haproxy/country/SS.txt acl ST src -f /etc/haproxy/country/ST.txt acl SV src -f /etc/haproxy/country/SV.txt acl SX src -f /etc/haproxy/country/SX.txt acl SY src -f /etc/haproxy/country/SY.txt acl SZ src -f /etc/haproxy/country/SZ.txt acl TC src -f /etc/haproxy/country/TC.txt acl TD src -f /etc/haproxy/country/TD.txt acl TF src -f /etc/haproxy/country/TF.txt acl TG src -f /etc/haproxy/country/TG.txt acl TH src -f /etc/haproxy/country/TH.txt acl TJ src -f /etc/haproxy/country/TJ.txt acl TK src -f /etc/haproxy/country/TK.txt acl TL src -f /etc/haproxy/country/TL.txt acl TM src -f /etc/haproxy/country/TM.txt acl TN src -f /etc/haproxy/country/TN.txt acl TO src -f /etc/haproxy/country/TO.txt acl TR src -f /etc/haproxy/country/TR.txt acl TT src -f /etc/haproxy/country/TT.txt acl TV src -f /etc/haproxy/country/TV.txt acl TW src -f /etc/haproxy/country/TW.txt acl TZ src -f /etc/haproxy/country/TZ.txt acl UA src -f /etc/haproxy/country/UA.txt acl UG src -f /etc/haproxy/country/UG.txt acl UM src -f /etc/haproxy/country/UM.txt acl US src -f /etc/haproxy/country/US.txt acl UY src -f /etc/haproxy/country/UY.txt acl UZ src -f /etc/haproxy/country/UZ.txt acl VA src -f /etc/haproxy/country/VA.txt acl VC src -f /etc/haproxy/country/VC.txt acl VE src -f /etc/haproxy/country/VE.txt acl VG src -f /etc/haproxy/country/VG.txt acl VI src -f /etc/haproxy/country/VI.txt acl VN src -f /etc/haproxy/country/VN.txt acl VU src -f /etc/haproxy/country/VU.txt acl WF src -f /etc/haproxy/country/WF.txt acl WS src -f /etc/haproxy/country/WS.txt acl XK src -f /etc/haproxy/country/XK.txt acl YE src -f /etc/haproxy/country/YE.txt acl YT src -f /etc/haproxy/country/YT.txt acl ZA src -f /etc/haproxy/country/ZA.txt acl ZM src -f /etc/haproxy/country/ZM.txt acl ZW src -f /etc/haproxy/country/ZW.txt # Let's Encrypt acl letsencrypt path_beg /.well-known/acme-challenge/ use_backend letsencrypt if letsencrypt # Redirect www to non-www domains http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. } # Mastodon # ACL to match requests for /.well-known/webfinger acl webfinger_request path_beg /.well-known/webfinger # ACL to check if the host is not mastodon.benoit.jp.net acl not_mastodon hdr(host) !mastodon.benoit.jp.net # Redirect if it's a webfinger request and the host is not mastodon.benoit.jp.net http-request redirect location https://mastodon.benoit.jp.net%[capture.req.uri] if webfinger_request not_mastodon # Everything else acl adguard hdr(host) -i adguard.benoit.jp.net acl archive hdr(host) -i blog.benpro.fr.archive.benoit.jp.net acl archive hdr(host) -i lekernelpanique.fr.archive.benoit.jp.net acl archive hdr(host) -i sysadmin-bookmarks.archive.benoit.jp.net acl beszel hdr(host) -i beszel.benoit.jp.net acl forgejo hdr(host) -i forgejo.benoit.jp.net acl jellyfin hdr(host) -i jellyfin.benoit.jp.net acl kanboard hdr(host) -i kanboard.benoit.jp.net acl laminar hdr(host) -i laminar.benoit.jp.net acl linkding hdr(host) -i linkding.benoit.jp.net acl mailcow hdr(host) -i mail.benoit.jp.net acl mastodon hdr(host) -i mastodon.benoit.jp.net acl miniflux hdr(host) -i miniflux.benoit.jp.net acl navidrome hdr(host) -i navidrome.benoit.jp.net acl nefarious hdr(host) -i nefarious.benoit.jp.net acl nefarious-jackett hdr(host) -i nefarious-jackett.benoit.jp.net acl nefarious-transmission hdr(host) -i nefarious-transmission.benoit.jp.net acl photoprism hdr(host) -i photoprism.benoit.jp.net acl uptime-kuma hdr(host) -i uptime-kuma.benoit.jp.net acl vaultwarden hdr(host) -i vaultwarden.benoit.jp.net acl www hdr(host) -i benoit.jp.net acl www hdr(host) -i www.benoit.jp.net # Allow mxmon + tailscale acl allowed_ips src 5.78.92.102 2a01:4ff:1f0:c14e::1 100.0.0.0/8 fd7a:115c:a1e0::/64 http-request deny if adguard !letsencrypt !allowed_ips http-request deny if beszel !letsencrypt !allowed_ips http-request deny if jellyfin !letsencrypt !allowed_ips http-request deny if kanboard !letsencrypt !allowed_ips http-request deny if mailcow !letsencrypt !allowed_ips http-request deny if miniflux !letsencrypt !allowed_ips http-request deny if navidrome !JP !letsencrypt !allowed_ips http-request deny if nefarious !letsencrypt !allowed_ips http-request deny if nefarious-jackett !letsencrypt !allowed_ips http-request deny if nefarious-transmission !letsencrypt !allowed_ips http-request deny if photoprism !JP !FR !letsencrypt !allowed_ips http-request deny if vaultwarden !letsencrypt !allowed_ips use_backend adguard if adguard use_backend archive if archive use_backend beszel if beszel use_backend forgejo if forgejo use_backend jellyfin if jellyfin use_backend kanboard if kanboard use_backend laminar if laminar use_backend letsencrypt if letsencrypt use_backend linkding if linkding use_backend mailcow if mailcow use_backend mastodon if mastodon use_backend miniflux if miniflux use_backend navidrome if navidrome use_backend photoprism if photoprism use_backend uptime-kuma if uptime-kuma use_backend vaultwarden if vaultwarden use_backend www if www use_backend nefarious if nefarious use_backend nefarious-jackett if nefarious-jackett use_backend nefarious-transmission if nefarious-transmission default_backend default