schleppe-ha-project/ansible/roles/haproxy/templates/haproxy.cfg.j2

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    limited-quic

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

# Front door: public HTTP
frontend fe_http
    bind :80

    http-request set-header X-Forwarded-Proto https
    option forwardfor

    default_backend be_traefik_http

# Front door: public HTTPS
frontend fe_https
    mode http
    bind :443 ssl crt {{ haproxy_certs_dir }} alpn h2,http/1.1
    bind quic4@:443 ssl crt {{ haproxy_certs_dir }} alpn h3

    # Add forwarding headers so Traefik/apps can know original client info
    http-request set-header X-Forwarded-Proto https
    option forwardfor

    # DISABLED: Advertise HTTP3
    # acl is_h2 ssl_fc_alpn -i h2
    # http-response set-header Alt-Svc "h3=\":443\"; ma=900" if is_h2

    # =========================================================
    # Debug response headers (enabled via ?debug=1)

    # Read debug query parameter
    http-request set-var(txn.debug) urlp(debug)

    # Define what "debug enabled" means
    acl debug_enabled var(txn.debug) -m str -i 1 true yes on

    http-request set-var(txn.http_ver) req.ver
    http-response add-header X-Debug-HTTP-Version %[var(txn.http_ver)] if debug_enabled
    http-response add-header X-Debug-Served-By haproxy-https if debug_enabled
    http-response add-header X-Debug-Frontend %[fe_name]    if debug_enabled
    http-response add-header X-Debug-Backend  %[be_name]    if debug_enabled
    http-response add-header X-Debug-Server   %[srv_name]   if debug_enabled

    # Client & network
    http-response add-header X-Debug-Client-IP   %[src] if debug_enabled
    # http-response add-header X-Debug-Client-Port %[sp]  if debug_enabled
    # http-response add-header X-Debug-XFF %[req.hdr(X-Forwarded-For)] if debug_enabled

    # TLS / HTTPS details
    http-response add-header X-Debug-TLS %[ssl_fc] if debug_enabled
    http-response add-header X-Debug-TLS-Version %[ssl_fc_protocol] if debug_enabled
    http-response add-header X-Debug-TLS-Cipher  %[ssl_fc_cipher]   if debug_enabled

    # Request identity & correlation
    http-response add-header X-Debug-Request-ID %[unique-id] if debug_enabled
    http-response add-header X-Debug-Method     %[method]   if debug_enabled

    # Safety: prevent caching of debug responses
    http-response add-header Cache-Control no-store if debug_enabled

    default_backend be_traefik_http


# Backend: Traefik VM
backend be_traefik_http
    mode http
    balance roundrobin
    cookie LB_SERVER insert indirect nocache dynamic
    dynamic-cookie-key {{ haproxy_dynamic_cookie_key }}

    # Health check: Traefik should respond with 404 for unknown host; that's still "alive".
    # We'll just do a TCP check (simpler and reliable).
    option tcp-check

    {% for ip in haproxy_traefik_ip %}
        server traefik{{ loop.index }} {{ ip }}:{{ haproxy_traefik_port }} check cookie {{ haproxy_cookie_value }}
    {% endfor %}

# Frontend: HAProxy prometheus exporter metrics
frontend fe_metrics
    bind :8405
    mode http

    http-request use-service prometheus-exporter if { path /metrics }

# ============================
# HAProxy Stats (metrics UI)
# ============================
listen haproxy_stats
    bind :8404
    mode http

    stats enable
    stats uri /stats
    stats refresh 10s

    # Optional basic auth
    stats auth {{ haproxy_stats_auth }}

    # Show extra info (handy for debugging)
    stats show-legends