#HA Proxy Config
global
 ulimit-n 500000
 maxconn 99999
 maxpipes 99999
 tune.maxaccept 500

 log 127.0.0.1 local0
 log 127.0.0.1 local1 notice

 ca-base /etc/ssl/certs
 crt-base /etc/ssl/private

 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 ssl-default-bind-options no-sslv3

defaults

 log global

 mode http

 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms
 timeout tunnel  1h    # timeout to use with WebSocket and CONNECT

 default-server init-addr none

#enable resolving throught docker dns and avoid crashing if service is down while proxy is starting
resolvers docker_resolver
  nameserver dns 127.0.0.11:53

listen stats
 bind *:9999
 stats enable
 stats hide-version
 stats uri /stats
 stats auth admin:admin@123

listen mqtt-in
 bind *:${MQTT_PORT}
 mode tcp

 stick-table type ip size 60k expire 60s store conn_cur

 acl trustlist src -f /config/trustlist.txt
 acl blocklist src -f /config/blocklist.txt
 tcp-request connection accept if trustlist
 tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
 tcp-request connection track-sc1 src

 option clitcpka # For TCP keep-alive
 timeout client 3h
 timeout server 3h
 option tcplog
 balance leastconn
 server tbMqtt1 tb-mqtt-transport1:1883 check inter 5s resolvers docker_resolver resolve-prefer ipv4
 server tbMqtt2 tb-mqtt-transport2:1883 check inter 5s resolvers docker_resolver resolve-prefer ipv4

listen edges-rpc-in
 bind *:${EDGES_RPC_PORT}
 mode tcp

 stick-table type ip size 60k expire 60s store conn_cur

 acl trustlist src -f /config/trustlist.txt
 acl blocklist src -f /config/blocklist.txt
 tcp-request connection accept if trustlist
 tcp-request connection reject if blocklist or { src_conn_cur ge 5 }
 tcp-request connection track-sc1 src

 option clitcpka # For TCP keep-alive
 timeout client 3h
 timeout server 3h
 option tcplog
 balance leastconn
 server tbEdgesRpc1 tb-core1:7070 check inter 5s resolvers docker_resolver resolve-prefer ipv4
 server tbEdgesRpc2 tb-core2:7070 check inter 5s resolvers docker_resolver resolve-prefer ipv4

frontend http-in
 bind *:${HTTP_PORT} alpn h2,http/1.1

 stick-table type ip size 60k expire 60s store conn_cur

 acl trustlist src -f /config/trustlist.txt
 acl blocklist src -f /config/blocklist.txt
 tcp-request connection accept if trustlist
 tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
 tcp-request connection track-sc1 src

 option forwardfor

 http-request add-header "X-Forwarded-Proto" "http"

 acl transport_http_acl path_beg /api/v1/
 acl letsencrypt_http_acl path_beg /.well-known/acme-challenge/
 acl tb_images_api_acl path_beg /api/images/
 acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /v3/ /static/rulenode/ /oauth2/ /login/oauth2/ /static/widgets/

 redirect scheme https if !letsencrypt_http_acl !transport_http_acl { env(FORCE_HTTPS_REDIRECT) -m str true }

 use_backend letsencrypt_http if letsencrypt_http_acl
 use_backend tb-http-backend if transport_http_acl
 use_backend tb-images-api-backend if tb_images_api_acl
 use_backend tb-api-backend if tb_api_acl

 default_backend tb-web-backend

frontend https_in
  bind *:${HTTPS_PORT} ssl crt /usr/local/etc/haproxy/default.pem crt /usr/local/etc/haproxy/certs.d ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM alpn h2,http/1.1

  stick-table type ip size 60k expire 60s store conn_cur

  acl trustlist src -f /config/trustlist.txt
  acl blocklist src -f /config/blocklist.txt
  tcp-request connection accept if trustlist
  tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
  tcp-request connection track-sc1 src

  option forwardfor

  http-request add-header "X-Forwarded-Proto" "https"

  acl transport_http_acl path_beg /api/v1/
  acl tb_images_api_acl path_beg /api/images/
  acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /v3/ /static/rulenode/ /oauth2/ /login/oauth2/ /static/widgets/

  use_backend tb-http-backend if transport_http_acl
  use_backend tb-images-api-backend if tb_images_api_acl
  use_backend tb-api-backend if tb_api_acl

  default_backend tb-web-backend

backend letsencrypt_http
  server letsencrypt_http_srv 127.0.0.1:8080

backend tb-web-backend
  timeout queue 60s
  balance leastconn
  option tcp-check
  option log-health-checks
  server tbWeb1 tb-web-ui1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
  server tbWeb2 tb-web-ui2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
  http-request set-header X-Forwarded-Port %[dst_port]

backend tb-http-backend
  timeout queue 60s
  balance leastconn
  option tcp-check
  option log-health-checks
  server tbHttp1 tb-http-transport1:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
  server tbHttp2 tb-http-transport2:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50

# Dummy backends for a stick-table purpose only.
# There is only one stick-table per proxy. At the moment of writing this doc,
# it does not seem useful to have multiple tables per proxy. If this happens
# to be required, simply create a dummy backend with a stick-table in it and
# reference it
# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#stick-table
backend st_src_rate10s
    stick-table type ip size 60k expire 10s store http_req_rate(10s)

backend st_src_rate1m
    stick-table type ip size 60k expire 1m store http_req_rate(1m)

backend tb-api-backend
  timeout queue 60s
  balance source
  option tcp-check
  option log-health-checks

  http-request track-sc0 src table st_src_rate10s
  http-request track-sc1 src table st_src_rate1m

  acl trustlist src -f /config/trustlist.txt
  http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !trustlist
  http-request deny deny_status 429 if { sc_http_req_rate(1) gt 300 } !trustlist

  http-request set-header X-Forwarded-Port %[dst_port]
  server tbApi1 tb-core1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
  server tbApi2 tb-core2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50

# Dummy backends for a stick-table purpose only.
# There is only one stick-table per proxy. At the moment of writing this doc,
# it does not seem useful to have multiple tables per proxy. If this happens
# to be required, simply create a dummy backend with a stick-table in it and
# reference it
# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#stick-table
backend st_images_src_rate10s
    stick-table type ip size 60k expire 10s store http_req_rate(10s)

backend st_images_src_rate1m
    stick-table type ip size 60k expire 1m store http_req_rate(1m)

backend tb-images-api-backend
  timeout queue 60s
  balance source
  option tcp-check
  option log-health-checks

  http-request track-sc0 src table st_images_src_rate10s
  http-request track-sc1 src table st_images_src_rate1m

  acl trustlist src -f /config/trustlist.txt
  http-request deny deny_status 429 if { sc_http_req_rate(0) gt 1000 } !trustlist
  http-request deny deny_status 429 if { sc_http_req_rate(1) gt 3000 } !trustlist

  http-request set-header X-Forwarded-Port %[dst_port]
  server tbImagesApi1 tb-core1:8080 check inter 10s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
  server tbImagesApi2 tb-core2:8080 check inter 10s resolvers docker_resolver resolve-prefer ipv4 maxconn 50