Authelia Integration

# _md5hash=ff2097121a2f96da27405d664043310a
# _version=32
# Dataplaneapi managed File
# changing file directly can cause a conflict if dataplaneapi is running

global
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  master-worker
  stats socket /var/run/haproxy.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
  lua-prepend-path /usr/local/etc/haproxy/http.lua
  lua-load /usr/local/etc/haproxy/auth-request.lua

defaults unnamed_defaults_1
  mode http
  maxconn 4000
  log global
  option forwardfor
  option tcp-smart-accept
  timeout http-request 10s
  timeout check 10s
  timeout connect 10s
  timeout client 1m
  timeout queue 1m
  timeout server 1m
  timeout http-keep-alive 10s
  retries 3
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http

resolvers docker
  nameserver ns1 127.0.0.11:53
  hold nx 30s
  hold obsolete 30s
  hold other 30s
  hold refused 30s
  hold timeout 30s
  hold valid 10s
  timeout resolve 2s
  timeout retry 2s
  accepted_payload_size 8192
  resolve_retries 5

frontend fe_http from unnamed_defaults_1
  mode http
  bind :80
  acl letsencrypt-acl path_beg /.well-known
  use_backend letsencrypt_backend if letsencrypt-acl
  default_backend error_backend

frontend fe_https from unnamed_defaults_1
  mode http
  bind :443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
  acl letsencrypt-acl path_beg /.well-known
  
  
  acl protected-frontends hdr(Host) -m reg -i ^(?i)(example.com|minc.demo2.tanmoysrt.xyz)
  http-request set-var(req.scheme) str(https) if { ssl_fc }
  http-request set-var(req.scheme) str(http) if !{ ssl_fc }
  http-request set-var(req.questionmark) str(?) if { query -m found }
  http-request set-header X-Forwarded-Proto %[var(req.scheme)]
  http-request set-header X-Forwarded-Method %[method]
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  http-request set-header X-Forwarded-URI %[path]%[var(req.questionmark)]%[query]
  http-request lua.auth-intercept be_authelia_9091 /api/authz/forward-auth HEAD * remote-user,remote-groups,remote-name,remote-email - if protected-frontends
  http-request deny if protected-frontends !{ var(txn.auth_response_successful) -m bool } { var(txn.auth_response_code) -m int 403 }
  http-request redirect location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool }
  
  
  use_backend letsencrypt_backend if letsencrypt-acl
  use_backend be_minc_3000 if { hdr(host) -i minc.demo2.tanmoysrt.xyz }
  use_backend be_authelia_9091 if { hdr(host) -i authelia.demo2.tanmoysrt.xyz }
  use_backend be_uptime-kuma_3001 if { hdr(host) -i uptime.demo2.tanmoysrt.xyz }
  default_backend error_backend

backend be_authelia_9091 from unnamed_defaults_1
  balance roundrobin
  http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }
  server-template authelia_container- 1 authelia:9091 no-check init-addr none resolvers docker

backend be_minc_3000 from unnamed_defaults_1
  balance roundrobin
  http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }
  server-template minc_container- 1 minc:3000 no-check init-addr none resolvers docker

backend be_uptime-kuma_3001 from unnamed_defaults_1
  balance roundrobin
  http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }
  server-template uptime-kuma_container- 1 uptime-kuma:3001 no-check init-addr none resolvers docker

backend error_backend from unnamed_defaults_1
  mode http
  http-request deny deny_status 502
  http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }

backend letsencrypt_backend from unnamed_defaults_1
  option httpchk
  http-check send meth GET uri /healthcheck hdr Host "$SWIFTWAVE_SERVICE_ADDRESS"
  http-check expect status 200
  http-request set-header Host "$SWIFTWAVE_SERVICE_ADDRESS"
  server swiftwave_service_https "$SWIFTWAVE_SERVICE_ENDPOINT" check ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt check-sni "$SWIFTWAVE_SERVICE_ADDRESS" sni str("$SWIFTWAVE_SERVICE_ADDRESS")
  server swiftwave_service_http "$SWIFTWAVE_SERVICE_ENDPOINT" check

program api
  command /dataplaneapi.sh
  no option start-on-reload