global
  tune.ssl.default-dh-param 1024

defaults
  timeout connect 5000
  timeout client 50000
  timeout server 50000

frontend http-in
  mode http
  option forwardfor
  bind *:80
  reqadd X-Forwarded-Proto:\ http

  acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
  use_backend backend_api if host_api

  acl host_registry hdr_dom(host) -i "registry.${HAPROXY_HOSTNAME}"
  use_backend backend_registry if host_registry

  acl host_vpn hdr_dom(host) -i "vpn.${HAPROXY_HOSTNAME}"
  use_backend backend_vpn if host_vpn

  acl host_s3 hdr_dom(host) -i "s3.${HAPROXY_HOSTNAME}"
  use_backend backend_s3 if host_s3

frontend ssl-in
  mode tcp
  bind *:443
  tcp-request inspect-delay 2s
  tcp-request content accept if { req.ssl_hello_type 1 }

  acl is_ssl req.ssl_ver 2:3.4
  use_backend redirect-to-https-in if is_ssl
  use_backend vpn-devices if !is_ssl

backend redirect-to-https-in
  mode tcp
  balance roundrobin
  server localhost 127.0.0.1:444 send-proxy-v2

frontend https-in
  mode http
  option forwardfor
  bind 127.0.0.1:444 ssl crt /etc/ssl/private/open-balena.pem accept-proxy
  reqadd X-Forwarded-Proto:\ https

  acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
  use_backend backend_api if host_api

  acl host_registry hdr_dom(host) -i "registry.${HAPROXY_HOSTNAME}"
  use_backend backend_registry if host_registry

  acl host_vpn hdr_dom(host) -i "vpn.${HAPROXY_HOSTNAME}"
  use_backend backend_vpn if host_vpn

  acl host_s3 hdr_dom(host) -i "s3.${HAPROXY_HOSTNAME}"
  use_backend backend_s3 if host_s3

backend backend_api
  mode http
  option forwardfor
  balance roundrobin
  server resin_api_1 api:80 check port 80

backend backend_registry
  mode http
  option forwardfor
  balance roundrobin
  server resin_registry_1 registry:80 check port 80

backend backend_vpn
  mode http
  option forwardfor
  balance roundrobin
  server resin_vpn_1 vpn:80 check port 80

backend backend_s3
  mode http
  option forwardfor
  balance roundrobin

backend vpn-devices
  mode tcp
  server resin_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443

frontend db
  mode tcp
  bind *:5432
  default_backend backend_db
  timeout client 1h

backend backend_db
  mode tcp
  server resin_db_1 db:5432 check port 5432

frontend redis
  mode tcp
  bind *:6379
  default_backend backend_redis
  timeout client 1h

backend backend_redis
  mode tcp
  server resin_redis_1 redis:6379 check port 6379