edgeguard-native/internal/haproxy/haproxy.cfg.tpl

# Generated by edgeguard-api — DO NOT EDIT.
# Source: internal/haproxy/haproxy.go (template: haproxy.cfg.tpl).
# Re-generate via `edgeguard-ctl render-config`.

global
    log /dev/log local0 info
    log /dev/log local1 notice
    user  haproxy
    group haproxy
    daemon
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    option  forwardfor
    timeout connect 5s
    timeout client  60s
    timeout server  60s
    timeout http-request 10s
    # timeout tunnel wird PER BACKEND aktiviert (websocket-Flag),
    # damit nur WS-Workloads die lange Idle-Toleranz haben und normale
    # HTTP-Backends saubere Connection-Hygiene behalten.

# ── Public :80 ─────────────────────────────────────────────────────────
# ACME-01 challenges proxy to edgeguard-api which serves the webroot.
# Everything else redirects to HTTPS.
frontend public_http
    bind :80

    acl is_acme path_beg /.well-known/acme-challenge/

    # Redirect to HTTPS first (skipped for ACME paths) — must come
    # before use_backend so HAProxy doesn't warn about ordering.
    http-request redirect scheme https code 301 unless is_acme

    use_backend api_backend if is_acme

# ── Public :443 (Customer-Backends only) ──────────────────────────────
# TLS termination. Reads certs from /etc/edgeguard/tls/ — postinst
# seeds a self-signed _default.pem so HAProxy starts before certbot
# has issued anything.
#
# WICHTIG: kein default_backend → unbekannte Hosts kriegen 503. Die
# Management-UI sitzt bewusst auf :3443 (siehe mgmt_https unten),
# damit ein versehentlich offengelassenes Wildcard-DNS nie auf das
# Admin-Panel fällt. mailgateway/enconf-Pattern.
frontend public_https
    bind :443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1

    http-response set-header Strict-Transport-Security "max-age=31536000"

    {{- range $d := .Domains}}
    {{- range $r := $d.Routes}}
    use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} }
    {{- end}}
    {{- if $d.PrimaryBackendID}}
    use_backend eg_backend_{{$d.PrimaryBackendID}} if { hdr(host) -i {{$d.Name}} }
    {{- end}}
    {{- end}}

# ── Mgmt :3443 (Admin-UI only) ────────────────────────────────────────
# Eigener Port für die Management-UI — gleicher Cert-Pool, aber kein
# Customer-Routing. Anti-Lockout-Regel im nft-Template lässt 3443
# immer durch. Erreichbar über jede Domain die auf die Box zeigt
# (Hostname egal — default_backend), inkl. der direkten IP.
frontend mgmt_https
    bind :3443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=31536000"
    default_backend api_backend

# ── Internal stats ─────────────────────────────────────────────────────
frontend internal_stats
    bind 127.0.0.1:8404
    stats enable
    stats uri /stats
    stats refresh 10s
    stats admin if { src 127.0.0.1 }

# ── Backends ───────────────────────────────────────────────────────────

# edgeguard-api itself: management UI, REST API, ACME webroot.
backend api_backend
    server api1 127.0.0.1:9443 check

{{- range $b := .Backends}}

backend eg_backend_{{$b.ID}}
    balance {{$b.LBAlgorithm}}
    {{- if $b.WebSocket}}
    timeout tunnel 1h
    {{- end}}
    {{- if $b.HealthCheckPath}}
    option httpchk
    http-check send meth GET uri {{$b.HealthCheckPath}}
    {{- end}}
    {{- range $s := $b.Servers}}
    server {{$s.Name | safeID}} {{$s.Address}}:{{$s.Port}}{{if eq $b.Scheme "https"}} ssl verify none alpn h2,http/1.1{{end}}{{if $b.HealthCheckPath}} check inter 5s{{end}} weight {{$s.Weight}}{{if $s.Backup}} backup{{end}}
    {{- end}}
{{- end}}