---
haproxy::backend:
  be_letsencrypt:
    description: Backend for LetsEncrypt Verifications
    collect_exported: true
    options:
      balance: roundrobin
  be_default:
    description: Backend for unmatched HTTP traffic
    collect_exported: true
    options:
      balance: roundrobin
      option:
        - httpchk
        - forwardfor
      http-check: send meth GET uri /
      cookie: SRVNAME insert
      http-request:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }

# fe_http
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
profiles::haproxy::fe_http::bind_port: 80
profiles::haproxy::fe_http::bind_opts:
  - transparent
profiles::haproxy::fe_http::acls:
  - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_http::http_request:
  - 'set-header X-Forwarded-Proto https'
  - 'set-header X-Real-IP %[src]'

# fe_https
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
profiles::haproxy::fe_https::bind_port: 443
profiles::haproxy::fe_https::bind_opts:
  - ssl
  - crt-list /etc/haproxy/certificate.list
  - ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  - force-tlsv12
profiles::haproxy::fe_https::acls:
  - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_https::http_request:
  - 'set-header X-Forwarded-Proto https'
  - 'set-header X-Real-IP %[src]'

profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
  - /etc/pki/tls/vault/certificate.pem