src/haproxy/haproxy.cfg

global
	tune.ssl.default-dh-param 1024
	# https://github.com/haproxytech/haproxy-lua-cors
	lua-load /usr/local/etc/haproxy/cors.lua
	# https://www.haproxy.com/blog/introduction-to-haproxy-logging/
	log stdout format raw daemon "${LOGLEVEL}"
	log stderr format raw daemon "${LOGLEVEL}"
	ssl-default-bind-options ssl-min-ver TLSv1.2

defaults
	balance roundrobin
	default-server init-addr last,libc,none
	default-server inter 3s rise 2 fall 3
	log global
	mode http
	option contstats
	option dontlognull
	option forwardfor
	option httplog
	timeout client 63s
	timeout connect 5s
	timeout http-keep-alive 1s
	timeout http-request 63s
	timeout server 63s
	timeout tunnel 3600s

resolvers docker-bridge-resolver
	nameserver docker-resolver 127.0.0.11:53
	hold valid 0ms

http-errors balena-http-errors
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 401 /etc/haproxy/errors/401.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 404 /etc/haproxy/errors/404.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http

userlist balena
	user balena insecure-password "${BALENA_DEVICE_UUID}"

listen haproxy-stats
	bind :::1936 v4v6 ssl crt "${CERT_CHAIN_PATH}" alpn h2,http/1.1
	stats auth "balena:${BALENA_DEVICE_UUID}"
	stats enable
	stats uri /metrics

frontend http
	bind :::80 v4v6
	default_backend api-backend
	errorfiles balena-http-errors
	http-request capture req.hdr(Host) len 15
	http-response lua.cors
	# https://www.haproxy.com/blog/haproxy-log-customization/
	log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"

	acl api_dead nbsrv(api-backend) lt 1
	acl registry_dead nbsrv(registry-backend) lt 1
	acl vpn_dead nbsrv(vpn-backend) lt 1
	monitor-uri /health
	monitor fail if api_dead registry_dead vpn_dead

	acl host-api-backend hdr_beg(host) -i "api."
	# default public device URL(s) always go to the API
	acl host-pdu-default hdr(host) -m reg -i "\.?([0-9a-f]{32}|${BALENA_DEVICE_UUID})\.(devices|balena-?(.*)-devices)\."
	use_backend api-backend if host-api-backend || host-pdu-default

	acl host-registry-backend hdr_beg(host) -i "registry2."
	http-request add-header X-Forwarded-Proto http if host-registry-backend
	use_backend registry-backend if host-registry-backend

	acl host-s3-backend hdr_beg(host) -i "s3."
	http-request add-header X-Forwarded-Proto http if host-s3-backend
	use_backend s3-backend if host-s3-backend

	acl host-minio-backend hdr_beg(host) -i "minio."
	http-request add-header X-Forwarded-Proto http if host-minio-backend
	use_backend minio-backend if host-minio-backend

# routes between OpenVPN, SSL and HTTPS traffic
frontend tcp-router
	mode tcp
	option tcplog
	log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
	bind :::443 v4v6
	tcp-request inspect-delay 2s
	tcp-request content accept if { req.ssl_hello_type 1 }
	acl is_ssl req.ssl_ver 2:3.4

	acl sni-host-tunnel req_ssl_sni -m beg "tunnel."
	use_backend redirect-to-tunnel if sni-host-tunnel

	# everything else => HTTPS
	use_backend redirect-to-https if is_ssl

	# or VPN
	use_backend vpn-backend if !is_ssl

backend redirect-to-tunnel
	mode tcp
	server localhost 127.0.0.1:3129 send-proxy-v2

# https://stackoverflow.com/a/39213442/1559300
listen tunnel-backend
	mode tcp
	option tcplog
	log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
	bind 127.0.0.1:3129 ssl crt "${CERT_CHAIN_PATH}" alpn h2,http/1.1 accept-proxy
	server tunnel vpn:3128 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 3128

backend redirect-to-https
	mode tcp
	server localhost 127.0.0.1:444 send-proxy-v2

frontend https
	bind 127.0.0.1:444 ssl crt "${CERT_CHAIN_PATH}" alpn h2,http/1.1 accept-proxy
	default_backend api-backend
	errorfiles balena-http-errors
	http-request add-header X-Forwarded-Proto https
	http-request capture req.hdr(Host) len 15
	http-response lua.cors
	log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"

	acl host-api-backend hdr_beg(host) -i "api."
	use_backend api-backend if host-api-backend

	acl host-registry-backend hdr_beg(host) -i "registry2."
	use_backend registry-backend if host-registry-backend

	acl host-s3-backend hdr_beg(host) -i "s3."
	use_backend s3-backend if host-s3-backend

	acl host-minio-backend hdr_beg(host) -i "minio."
	use_backend minio-backend if host-minio-backend

	acl host-ca-backend hdr_beg(host) -i "ca."
	# only allow CRL requests unauthenticated, protect everything else
	acl balena-ca-crl path -i -m beg /api/v1/cfssl/crl
	acl balena-ca-auth http_auth(balena)
	http-request auth realm balena-ca if host-ca-backend !balena-ca-auth !balena-ca-crl
	use_backend ca-backend if host-ca-backend

	acl host-ocsp-backend hdr_beg(host) -i "ocsp."
	use_backend ocsp-backend if host-ocsp-backend

backend api-backend
	server api api:80 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 80

backend registry-backend
	server registry registry:80 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 80

backend s3-backend
	server s3 s3:80 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 80

# https://github.com/minio/console
backend minio-backend
	server s3-console s3:43697 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 43697

backend db-backend
	mode tcp
	server db db:5432 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 5432

backend redis-backend
	mode tcp
	server redis redis:6379 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 6379

backend ca-backend
	server cfssl-ca balena-ca:8888 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 8888

backend ocsp-backend
	server cfssl-ocsp balena-ca:8889 resolvers docker-bridge-resolver resolve-prefer ipv4 check port 8889

backend vpn-backend
	mode tcp
	server openvpn vpn:443 resolvers docker-bridge-resolver resolve-prefer ipv4 send-proxy-v2 check-send-proxy check port 443