digitaldemocratic/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf

#
# BEGIN: bind-direct.cnf
#
  bind :80
  http-request redirect scheme https code 301 unless { ssl_fc }
  http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
  http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
  bind :443 ssl crt /certs/chain.pem

  # This comes from the internet, do not trust the forwarding headers
  http-request del-header X-Forwarded-For
  http-request del-header X-Forwarded-Proto
  # But add our forwarding headers instead
  option forwardfor
  # We are always doing TLS, except for redirections
  http-request set-header X-SSL %[ssl_fc]
  http-request set-header X-Forwarded-Proto https

  # New line to test URI to see if its a letsencrypt request
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  use_backend letsencrypt if letsencrypt-acl
#
# END: bind-direct.cnf
#