global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon limited-quic # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http # Front door: public HTTP frontend fe_http bind :80 http-request set-header X-Forwarded-Proto https option forwardfor default_backend be_traefik_http # Front door: public HTTPS frontend fe_https mode http bind :443 ssl crt {{ haproxy_certs_dir }} alpn h2,http/1.1 bind quic4@:443 ssl crt {{ haproxy_certs_dir }} alpn h3 # Add forwarding headers so Traefik/apps can know original client info http-request set-header X-Forwarded-Proto https option forwardfor # DISABLED: Advertise HTTP3 # acl is_h2 ssl_fc_alpn -i h2 # http-response set-header Alt-Svc "h3=\":443\"; ma=900" if is_h2 # ========================================================= # Debug response headers (enabled via ?debug=1) # Read debug query parameter http-request set-var(txn.debug) urlp(debug) # Define what "debug enabled" means acl debug_enabled var(txn.debug) -m str -i 1 true yes on http-request set-var(txn.http_ver) req.ver http-response add-header X-Debug-HTTP-Version %[var(txn.http_ver)] if debug_enabled http-response add-header X-Debug-Served-By haproxy-https if debug_enabled http-response add-header X-Debug-Frontend %[fe_name] if debug_enabled http-response add-header X-Debug-Backend %[be_name] if debug_enabled http-response add-header X-Debug-Server %[srv_name] if debug_enabled # Client & network http-response add-header X-Debug-Client-IP %[src] if debug_enabled # http-response add-header X-Debug-Client-Port %[sp] if debug_enabled # http-response add-header X-Debug-XFF %[req.hdr(X-Forwarded-For)] if debug_enabled # TLS / HTTPS details http-response add-header X-Debug-TLS %[ssl_fc] if debug_enabled http-response add-header X-Debug-TLS-Version %[ssl_fc_protocol] if debug_enabled http-response add-header X-Debug-TLS-Cipher %[ssl_fc_cipher] if debug_enabled # Request identity & correlation http-response add-header X-Debug-Request-ID %[unique-id] if debug_enabled http-response add-header X-Debug-Method %[method] if debug_enabled # Safety: prevent caching of debug responses http-response add-header Cache-Control no-store if debug_enabled default_backend be_traefik_http # Backend: Traefik VM backend be_traefik_http mode http balance roundrobin cookie LB_SERVER insert indirect nocache dynamic dynamic-cookie-key {{ haproxy_dynamic_cookie_key }} # Health check: Traefik should respond with 404 for unknown host; that's still "alive". # We'll just do a TCP check (simpler and reliable). option tcp-check {% for ip in haproxy_traefik_ip %} server traefik{{ loop.index }} {{ ip }}:{{ haproxy_traefik_port }} check cookie {{ haproxy_cookie_value }} {% endfor %} # Frontend: HAProxy prometheus exporter metrics frontend fe_metrics bind :8405 mode http http-request use-service prometheus-exporter if { path /metrics } # ============================ # HAProxy Stats (metrics UI) # ============================ listen haproxy_stats bind :8404 mode http stats enable stats uri /stats stats refresh 10s # Optional basic auth stats auth {{ haproxy_stats_auth }} # Show extra info (handy for debugging) stats show-legends