digitaldemocratic/docker/haproxy/haproxy.conf

resolvers mydns
    nameserver dns1 127.0.0.11:53
    
global
#   debug
    daemon
    log             127.0.0.1    local0
    tune.ssl.default-dh-param 2048

  defaults
    mode http
    timeout         connect 25s
    timeout         client 25s
    timeout         client-fin 25s
    timeout         server 25s
    timeout         tunnel 7200s
    option          http-server-close
    option          httpclose
    log             global
    option          httplog
    backlog         4096
    maxconn         2000
    option          tcpka

frontend website
    mode http
    bind :80
    redirect scheme https if !{ ssl_fc }
#    http-request set-header SSL_CLIENT_CERT %[ssl_c_der,base64]
  http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
  http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
    bind :443 ssl crt /certs/chain.pem
    
    #cookie JSESSIONID prefix nocache
    #use_backend be_hydra if { path_beg /hydra } 
    #use_backend be_hydra if { path_beg /oauth2 } 

    acl is_nextcloud hdr_beg(host) nextcloud.
    acl is_moodle hdr_beg(host) moodle.
    acl is_jitsi hdr_beg(host) jitsi.
    acl is_oof hdr_beg(host) oof.
    acl is_wp hdr_sub(host) .wp.
    acl is_wp hdr_beg(host) wp.
    acl is_pad hdr_beg(host) pad.
    acl is_sso hdr_beg(host) sso.
    acl is_ipa hdr_beg(host) ipa.

    use_backend be_nextcloud if is_nextcloud
    use_backend be_moodle if is_moodle
    use_backend be_jitsi if is_jitsi
    use_backend be_oof if is_oof
    use_backend be_wp if is_wp
    use_backend be_etherpad if is_pad
    use_backend be_sso if is_sso
    use_backend be_ipa if is_ipa

#    default_backend be_sso

backend be_ipa
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server freeipa isard-sso-freeipa:443 check port 443 ssl verify none inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_sso
	mode http
        option httpclose
	#option http-server-close
	option forwardfor
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server keycloak isard-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

## APPS
backend be_moodle
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server moodle isard-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_nextcloud
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server nextcloud isard-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_etherpad
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server etherpad isard-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_jitsi
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server jitsi isard-apps-jitsi:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_oof
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server onlyoffice isard-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

backend be_wp
	mode http
  acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
  acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
  http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
  http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
	server wp isard-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none


  listen stats 
        bind                0.0.0.0:8888
        mode                http
        stats               enable
        option              httplog
        stats               show-legends
        stats               uri /haproxy
        stats               realm Haproxy\ Statistics
        stats               refresh 5s
        #stats               auth staging:pep1n1ll0
        #acl authorized http_auth(AuthUsers)
        #stats          http-request auth unless authorized
        timeout             connect 5000ms
        timeout             client 50000ms
        timeout             server 50000ms

userlist AuthUsers
    user admin password $6$grgQMVfwI0XSGAQl$2usaQC9LVXXXYHtSkGUf74CIGsiH8fi/K.V6DuKSq0twPkmFGP2vL/b//Ulp2I4xBEZ3eYDhUbwBPK8jpmsbo.