global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
        ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/haproxy/dhparam
        ssl-dh-param-file /etc/haproxy/dhparam


defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend gitea-ssh
        mode tcp
        bind :22
        bind :::22 v6only
        default_backend gitea-ssh

backend gitea-ssh
        mode tcp
        server gitea 127.0.0.1:2222 check send-proxy

frontend default

    bind :80
    bind :::80 v6only
    bind :443 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
    bind :::443 v6only ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
    
    # HSTS (15768000 seconds = 6 months)
    http-response set-header Strict-Transport-Security max-age=15768000
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }

    # Let's Encrypt
    acl letsencrypt path_dir -i /.well-known/acme-challenge
    use_backend localhost if letsencrypt 

    # mo-f.fr
    acl mof hdr_end(host) -i mo-f.fr
    use_backend mof if mof

    # play.benpro.fr
    acl play hdr(host) -i play.benpro.fr
    use_backend play if play

    #default_backend             localhost

backend localhost
    option forwardfor
    server localhost 127.0.0.1:8080 check send-proxy

backend mof
    # Benhind CloudFlare, X-Forwarded-For always setted, do not override
    option forwardfor if-none
    redirect scheme https if !{ ssl_fc }
    server mof 127.0.0.1:8081 check

backend play
    option forwardfor
    redirect scheme https if !{ ssl_fc }
    server play 127.0.0.1:8096 check