# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!

global
    daemon
    stats socket /var/run/haproxy.sock level admin expose-fd listeners
    server-state-file global
    server-state-base /var/state/haproxy/
    # log using a syslog socket
    log /dev/log local0 info
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDH
    E-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-R
    SA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    lua-load /etc/auth-request.lua

defaults
    log global
    # https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
    # https://github.com/voyagermesh/voyager/pull/403
    option dontlognull
    option http-server-close
    # Timeout values
    timeout client 50s
    timeout client-fin 50s
    timeout connect 5s
    timeout server 50s
    timeout tunnel 50s
    # Configure error files
    # default traffic mode is http
    # mode is overwritten in case of tcp services
    mode http

frontend http-0_0_0_0-80
    bind *:80
    mode http
    option httplog
    option forwardfor
    acl is_proxy_https hdr(X-Forwarded-Proto) https
    acl is_proxy_https ssl_fc
    http-request set-var(req.scheme) str(https) if is_proxy_https
    http-request set-var(req.scheme) str(http) if ! is_proxy_https
    acl acl_:.well-known-acme-challenge path_beg /.well-known/acme-challenge/
    # rules processing will stop here for LE well-known acme challenge path
    http-request allow if  acl_:.well-known-acme-challenge
    use_backend voyager-operator.kube-system:56791 if  acl_:.well-known-acme-challenge
    acl acl_kiteci.com hdr(host) -i kiteci.com
    acl acl_kiteci.com hdr(host) -i kiteci.com:80
    acl acl_kiteci.com: path_beg /
    http-request set-var(req.redirect_to_ssl) req.hdr(host) if ! is_proxy_https acl_kiteci.com acl_kiteci.com:
    http-request replace-header Host ^(.*?):80+$ \1:443 if { var(req.redirect_to_ssl) -m found }
    http-request redirect scheme https code 308 if { var(req.redirect_to_ssl) -m found }
backend voyager-operator.kube-system:56791
    server pod-voyager-operator-6f498d8fdf-jlbqs 10.4.1.4:56791

frontend http-0_0_0_0-443
    bind *:443  ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/ssl/private/haproxy/tls/  alpn http/1.1
    # Mark all cookies as secure
    rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure
    # Add the HSTS header with a 6 month default max-age
    http-response set-header Strict-Transport-Security max-age=15768000
    mode http
    option httplog
    option forwardfor
    acl is_proxy_https hdr(X-Forwarded-Proto) https
    acl is_proxy_https ssl_fc
    http-request set-var(req.scheme) str(https) if is_proxy_https
    http-request set-var(req.scheme) str(http) if ! is_proxy_https
    acl acl_kiteci.com hdr(host) -i kiteci.com
    acl acl_kiteci.com hdr(host) -i kiteci.com:443
    acl acl_kiteci.com: path_beg /
    use_backend web.default:80 if acl_kiteci.com acl_kiteci.com:
backend web.default:80
    server pod-nginx-dbddb74b8-x4zxj 10.4.2.128:80