digitaldemocratic/dd-sso/docker/haproxy/haproxy.conf

#
#   Copyright © 2021,2022 IsardVDI S.L.
#
#   This file is part of DD
#
#   DD is free software: you can redistribute it and/or modify
#   it under the terms of the GNU Affero General Public License as published by
#   the Free Software Foundation, either version 3 of the License, or (at your
#   option) any later version.
#
#   DD is distributed in the hope that it will be useful, but WITHOUT ANY
#   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
#   FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
#   details.
#
#   You should have received a copy of the GNU Affero General Public License
#   along with DD. If not, see <https://www.gnu.org/licenses/>.
#
# SPDX-License-Identifier: AGPL-3.0-or-later
resolvers mydns
    nameserver dns1 127.0.0.11:53
    
global
#   debug
    daemon
    log             127.0.0.1    local0
    tune.ssl.default-dh-param 2048
    h1-case-adjust content-type Content-Type
    h1-case-adjust content-encoding Content-Encoding
    h1-case-adjust transfer-encoding Transfer-Encoding

  defaults
    mode http
    timeout         connect 120s
    timeout         client 120s
    timeout         client-fin 120s
    timeout         server 120s
    timeout         tunnel 7200s
    option          http-server-close
    option          httpclose
    log             global
    option          httplog
    backlog         4096
    maxconn         2000
    option          tcpka
    option          h1-case-adjust-bogus-client

frontend website
    mode http
    bind :80
    #redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
    http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
    http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
    bind :443 ssl crt /certs/chain.pem

    acl is_upgrade hdr(Connection) -i upgrade
    acl is_websocket hdr(Upgrade) -i websocket 
    
    acl is_nextcloud hdr_beg(host) nextcloud.
    acl is_moodle hdr_beg(host) moodle. !path_beg -i /local/tresipuntimportgc/
    acl is_moodle_long hdr_beg(host) moodle.  path_beg -i /local/tresipuntimportgc/
    acl is_jitsi hdr_beg(host) jitsi.
    acl is_oof hdr_beg(host) oof.
    acl is_wp hdr_sub(host) .wp.
    acl is_wp hdr_beg(host) wp.
    acl is_pad hdr_beg(host) pad.
    acl is_sso hdr_beg(host) sso.
    acl is_ipa hdr_beg(host) ipa.
    acl is_api hdr_beg(host) api.
    acl is_admin hdr_beg(host) admin.

    acl is_root path -i /
    http-request deny if is_pad is_root

    use_backend be_api if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }
  
    use_backend letsencrypt if { path_beg /.well-known/acme-challenge/ }
    use_backend be_api if is_nextcloud { path_beg /avatar/ }
    use_backend be_nextcloud if is_nextcloud
    use_backend be_moodle_long if is_moodle_long
    use_backend be_moodle if is_moodle
    use_backend be_jitsi if is_jitsi
    use_backend be_oof if is_oof
    use_backend be_wp if is_wp
    use_backend be_etherpad if is_pad
    use_backend be_admin if is_sso { path_beg /socket.io }
    use_backend be_adminer if is_sso { path_beg /dd-sso-adminer }
    use_backend be_admin if is_admin
    use_backend be_sso if is_sso
    use_backend be_ipa if is_ipa
    use_backend be_api if is_api
    
    http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }
#    default_backend be_sso

backend letsencrypt
  server letsencrypt 127.0.0.1:8080

backend be_api
	mode http
  http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
  # Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128
  http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")]
	server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_ipa
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server freeipa dd-sso-freeipa:443 check port 443 ssl verify none inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_sso
	mode http
  option httpclose
	#option http-server-close
	option forwardfor
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
  http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]*);(.*) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure;
	server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_admin
	mode http
  option forwardfor
  timeout queue 600s
  timeout server 600s
  timeout connect 600s
  # acl authorized http_auth(AuthUsers)
  # http-request auth realm AuthUsers unless authorized
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_adminer
	mode http
  # acl authorized http_auth(AuthUsers)
  # http-request auth realm AuthUsers unless authorized
  http-request redirect scheme http drop-query append-slash if { path -m str /dd-sso-adminer }
  http-request replace-path /dd-sso-adminer/(.*) /\1 
  # http-request del-header Authorization 
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server dd-sso-adminer dd-sso-adminer:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

## APPS
backend be_moodle
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_moodle_long
	mode http
  timeout server 900s
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_nextcloud
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_etherpad
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_jitsi
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server jitsi dd-apps-jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_oof
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_wp
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto

    http-request set-header X-SSL %[ssl_fc]
    http-request set-header X-Forwarded-Proto https
	server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none


  listen stats 
        bind                0.0.0.0:8888
        mode                http
        stats               enable
        option              httplog
        stats               show-legends
        stats               uri /haproxy
        stats               realm Haproxy\ Statistics
        stats               refresh 5s
        #stats               auth staging:mypassword
        #acl authorized http_auth(AuthUsers)
        #stats          http-request auth unless authorized
        timeout             connect 5000ms
        timeout             client 50000ms
        timeout             server 50000ms

userlist AuthUsers
    user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.
DD education workspace DD is the education workspace generated within the framework of Xnet's Democratic Digitalisation Plan. It has been created and powered by Xnet, families and promoting centres, IsardVDI, 3iPunt, MaadiX, eXO.cat, Evilham and funded by the Directorate for Democratic Innovation, the Barcelona City Council's Digital Innovation Commissioner, Social Economy Commissioner, in collaboration with the Barcelona Education Consortium, aFFaC and AirVPN. DD can be used freely as long as this footer is included and the AGPLv3 license (https://www.gnu.org/licenses/agpl-3.0.en.html) is respected. Trobareu meś informació en català a la documentació: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/). Más información en castellano en la documentación: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/). More info in English in the documentation: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/). We thank the help of Miriam Carles, Cristian Ruiz, Anna Francàs, Christopher Millard. 2022-07-10 12:15:47 +02:00			`#`
			`# Copyright © 2021,2022 IsardVDI S.L.`
			`#`
			`# This file is part of DD`
			`#`
			`# DD is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or (at your`
			`# option) any later version.`
			`#`
			`# DD is distributed in the hope that it will be useful, but WITHOUT ANY`
			`# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more`
			`# details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License`
			`# along with DD. If not, see <https://www.gnu.org/licenses/>.`
			`#`
			`# SPDX-License-Identifier: AGPL-3.0-or-later`
			`resolvers mydns`
			`nameserver dns1 127.0.0.11:53`

			`global`
			`# debug`
			`daemon`
			`log 127.0.0.1 local0`
			`tune.ssl.default-dh-param 2048`
			`h1-case-adjust content-type Content-Type`
			`h1-case-adjust content-encoding Content-Encoding`
			`h1-case-adjust transfer-encoding Transfer-Encoding`

			`defaults`
			`mode http`
			`timeout connect 120s`
			`timeout client 120s`
			`timeout client-fin 120s`
			`timeout server 120s`
			`timeout tunnel 7200s`
			`option http-server-close`
			`option httpclose`
			`log global`
			`option httplog`
			`backlog 4096`
			`maxconn 2000`
			`option tcpka`
			`option h1-case-adjust-bogus-client`

			`frontend website`
			`mode http`
			`bind :80`
Initial config modsecurity 2022-10-25 13:48:10 +02:00			`#redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }`
DD education workspace DD is the education workspace generated within the framework of Xnet's Democratic Digitalisation Plan. It has been created and powered by Xnet, families and promoting centres, IsardVDI, 3iPunt, MaadiX, eXO.cat, Evilham and funded by the Directorate for Democratic Innovation, the Barcelona City Council's Digital Innovation Commissioner, Social Economy Commissioner, in collaboration with the Barcelona Education Consortium, aFFaC and AirVPN. DD can be used freely as long as this footer is included and the AGPLv3 license (https://www.gnu.org/licenses/agpl-3.0.en.html) is respected. Trobareu meś informació en català a la documentació: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.ca/). Más información en castellano en la documentación: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/index.es/). More info in English in the documentation: [https://dd.digitalitzacio-democratica.xnet-x.net/docs/](https://dd.digitalitzacio-democratica.xnet-x.net/docs/). We thank the help of Miriam Carles, Cristian Ruiz, Anna Francàs, Christopher Millard. 2022-07-10 12:15:47 +02:00			`http-request del-header ssl_client_cert unless { ssl_fc_has_crt }`
			`http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }`
			`bind :443 ssl crt /certs/chain.pem`

			`acl is_upgrade hdr(Connection) -i upgrade`
			`acl is_websocket hdr(Upgrade) -i websocket`

			`acl is_nextcloud hdr_beg(host) nextcloud.`
			`acl is_moodle hdr_beg(host) moodle. !path_beg -i /local/tresipuntimportgc/`
			`acl is_moodle_long hdr_beg(host) moodle. path_beg -i /local/tresipuntimportgc/`
			`acl is_jitsi hdr_beg(host) jitsi.`
			`acl is_oof hdr_beg(host) oof.`
			`acl is_wp hdr_sub(host) .wp.`
			`acl is_wp hdr_beg(host) wp.`
			`acl is_pad hdr_beg(host) pad.`
			`acl is_sso hdr_beg(host) sso.`
			`acl is_ipa hdr_beg(host) ipa.`
			`acl is_api hdr_beg(host) api.`
			`acl is_admin hdr_beg(host) admin.`

			`acl is_root path -i /`
			`http-request deny if is_pad is_root`

			`use_backend be_api if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }`

			`use_backend letsencrypt if { path_beg /.well-known/acme-challenge/ }`
			`use_backend be_api if is_nextcloud { path_beg /avatar/ }`
			`use_backend be_nextcloud if is_nextcloud`
			`use_backend be_moodle_long if is_moodle_long`
			`use_backend be_moodle if is_moodle`
			`use_backend be_jitsi if is_jitsi`
			`use_backend be_oof if is_oof`
			`use_backend be_wp if is_wp`
			`use_backend be_etherpad if is_pad`
			`use_backend be_admin if is_sso { path_beg /socket.io }`
			`use_backend be_adminer if is_sso { path_beg /dd-sso-adminer }`
			`use_backend be_admin if is_admin`
			`use_backend be_sso if is_sso`
			`use_backend be_ipa if is_ipa`
			`use_backend be_api if is_api`

			`http-request redirect code 301 location https://moodle."${DOMAIN}" if { hdr(host) -i "${DOMAIN}" }`
			`# default_backend be_sso`

			`backend letsencrypt`
			`server letsencrypt 127.0.0.1:8080`

			`backend be_api`
			`mode http`
			`http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`# Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128`
			`http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")]`
			`server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_ipa`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server freeipa dd-sso-freeipa:443 check port 443 ssl verify none inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_sso`
			`mode http`
			`option httpclose`
			`#option http-server-close`
			`option forwardfor`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]);(.) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure;`
			`server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_admin`
			`mode http`
			`option forwardfor`
			`timeout queue 600s`
			`timeout server 600s`
			`timeout connect 600s`
			`# acl authorized http_auth(AuthUsers)`
			`# http-request auth realm AuthUsers unless authorized`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_adminer`
			`mode http`
			`# acl authorized http_auth(AuthUsers)`
			`# http-request auth realm AuthUsers unless authorized`
			`http-request redirect scheme http drop-query append-slash if { path -m str /dd-sso-adminer }`
			`http-request replace-path /dd-sso-adminer/(.*) /\1`
			`# http-request del-header Authorization`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server dd-sso-adminer dd-sso-adminer:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`## APPS`
			`backend be_moodle`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_moodle_long`
			`mode http`
			`timeout server 900s`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_nextcloud`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_etherpad`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_jitsi`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server jitsi dd-apps-jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_oof`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`
			`server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`backend be_wp`
			`mode http`
			`acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found`
			`acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found`
			`http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host`
			`http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto`

			`http-request set-header X-SSL %[ssl_fc]`
			`http-request set-header X-Forwarded-Proto https`
			`server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`


			`listen stats`
			`bind 0.0.0.0:8888`
			`mode http`
			`stats enable`
			`option httplog`
			`stats show-legends`
			`stats uri /haproxy`
			`stats realm Haproxy\ Statistics`
			`stats refresh 5s`
			`#stats auth staging:mypassword`
			`#acl authorized http_auth(AuthUsers)`
			`#stats http-request auth unless authorized`
			`timeout connect 5000ms`
			`timeout client 50000ms`
			`timeout server 50000ms`

			`userlist AuthUsers`
			`user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.`