resolvers mydns
    nameserver dns1 127.0.0.11:53

global
    daemon
    log             127.0.0.1    local0
    tune.ssl.default-dh-param 2048
    h1-case-adjust content-type Content-Type
    h1-case-adjust content-encoding Content-Encoding
    h1-case-adjust transfer-encoding Transfer-Encoding

defaults
  mode http
  option  http-server-close
  option  dontlognull
  option  redispatch
  option  contstats
  retries 3
  timeout connect 5s
  timeout http-keep-alive 1s
  # Slowloris protection
  timeout http-request 15s
  timeout queue 30s
  timeout tarpit 1m          # tarpit hold tim
  backlog 10000


frontend tf_waf
  mode http
  bind :80
  # redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
  http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
  http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
  bind :443 ssl crt /certs/chain.pem


  # New line to test URI to see if its a letsencrypt request
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  use_backend letsencrypt if letsencrypt-acl

  # Internal traffic
  use_backend bk_web if { src 192.168.0.0/16 }

  default_backend bk_waf

# Traffic secured by the WAF arrives here
frontend ft_web
  bind :81 name http
  mode http
  log global
  option httplog
  timeout client 25s
  maxconn 1000
  default_backend bk_web

backend letsencrypt
  server letsencrypt 127.0.0.1:8080

# WAF farm where users' traffic is routed first
backend bk_waf
  mode http
  server modsecurity dd-waf-apache:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

# application server farm
backend bk_web
  mode http
  server sso dd-sso-haproxy:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

listen stats
        bind                0.0.0.0:9999
        mode                http
        stats               enable
        option              httplog
        stats               show-legends
        stats               uri /haproxy
        stats               realm Haproxy\ Statistics
        stats               refresh 5s
        #stats               auth staging:mypassword
        #acl authorized http_auth(AuthUsers)
        #stats          http-request auth unless authorized
        timeout             connect 5000ms
        timeout             client 50000ms
        timeout             server 50000ms

userlist AuthUsers
    user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.