HAProxy Config
# _md5hash=f958d187be6300da982354f7af54581d
# _version=38
# Dataplaneapi managed File
# changing file directly can cause a conflict if dataplaneapi is running
global
chroot /var/lib/haproxy
user haproxy
group haproxy
master-worker
stats socket /var/run/haproxy.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
lua-prepend-path /usr/local/etc/haproxy/http.lua
lua-load /usr/local/etc/haproxy/auth-request.lua
defaults unnamed_defaults_1
mode http
maxconn 4000
log global
option forwardfor
option tcp-smart-accept
timeout http-request 10s
timeout check 10s
timeout connect 10s
timeout client 1m
timeout queue 1m
timeout server 1m
timeout http-keep-alive 10s
retries 3
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
resolvers docker
nameserver ns1 127.0.0.11:53
hold nx 30s
hold obsolete 30s
hold other 30s
hold refused 30s
hold timeout 30s
hold valid 10s
timeout resolve 2s
timeout retry 2s
accepted_payload_size 8192
resolve_retries 5
frontend fe_http from unnamed_defaults_1
mode http
bind :80
acl letsencrypt-acl path_beg /.well-known
use_backend letsencrypt_backend if letsencrypt-acl
default_backend error_backend
frontend fe_https from unnamed_defaults_1
mode http
bind :443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
acl letsencrypt-acl path_beg /.well-known
acl protected-frontends hdr(Host) -m reg -i ^(?i)(example.com|minc.demo2.tanmoysrt.xyz)
acl is_authentikoutpost path -m reg ^/outpost.goauthentik.io/
http-request set-var(req.scheme) str(https) if { ssl_fc }
http-request set-var(req.scheme) str(http) if !{ ssl_fc }
http-request set-var(req.questionmark) str(?) if { query -m found }
http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Method %[method]
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Original-URL %[url]
http-request lua.auth-intercept be_authelia_9091 /outpost.goauthentik.io/auth/nginx HEAD x-original-url,x-real-ip,x-forwarded-host,x-forwarded-proto,user-agent,cookie,accept,x-forwarded-method x-authentik-username,x-authentik-uid,x-authentik-email,x-authentik-name,x-authentik-groups - if protected-frontends !is_authentikoutpost
http-request redirect location /outpost.goauthentik.io/start?rd=%[hdr(X-Original-URL)] code 302 if protected-frontends !{ var(txn.auth_response_successful) -m bool } { var(txn.auth_response_code) -m int 401 } !is_authentikoutpost
http-request deny if protected-frontends !{ var(txn.auth_response_successful) -m bool } { var(txn.auth_response_code) -m int 403 } !is_authentikoutpost
http-request redirect location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool } !is_authentikoutpost
use_backend be_authelia_9091 if protected-frontends is_authentikoutpost
use_backend letsencrypt_backend if letsencrypt-acl
use_backend be_minc_3000 if { hdr(host) -i minc.demo2.tanmoysrt.xyz }
use_backend be_authelia_9091 if { hdr(host) -i authelia.demo2.tanmoysrt.xyz }
use_backend be_uptime-kuma_3001 if { hdr(host) -i uptime.demo2.tanmoysrt.xyz }
default_backend error_backend
backend be_authelia_9091 from unnamed_defaults_1
balance roundrobin
server oidc_http "167.235.59.0:9000"
backend be_minc_3000 from unnamed_defaults_1
balance roundrobin
http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }
server-template minc_container- 1 minc:3000 no-check init-addr none resolvers docker
backend be_uptime-kuma_3001 from unnamed_defaults_1
balance roundrobin
http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }
server-template uptime-kuma_container- 1 uptime-kuma:3001 no-check init-addr none resolvers docker
backend error_backend from unnamed_defaults_1
mode http
http-request deny deny_status 502
http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if { var(req.auth_response_header.set_cookie) -m found }
backend letsencrypt_backend from unnamed_defaults_1
option httpchk
http-check send meth GET uri /healthcheck hdr Host "$SWIFTWAVE_SERVICE_ADDRESS"
http-check expect status 200
http-request set-header Host "$SWIFTWAVE_SERVICE_ADDRESS"
server swiftwave_service_https "$SWIFTWAVE_SERVICE_ENDPOINT" check ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt check-sni "$SWIFTWAVE_SERVICE_ADDRESS" sni str("$SWIFTWAVE_SERVICE_ADDRESS")
server swiftwave_service_http "$SWIFTWAVE_SERVICE_ENDPOINT" check
program api
command /dataplaneapi.sh
no option start-on-reload