global daemon maxconn 200 log stdout format raw local0 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-tls-tickets ssl-min-ver TLSv1.3 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options no-tls-tickets ssl-min-ver TLSv1.3 defaults generic_defaults log global maxconn 50 # Irrelevant on frontends timeout connect 5s timeout server 5s # Irrelevant on backends timeout client 30s defaults http_defaults from generic_defaults mode http option forwardfor option httplog frontend fe_stats from http_defaults bind :"${STATS_PORT-61000}" stats enable stats uri / stats refresh 10s acl ips_allowed src 10.10.10.0/24 10.10.1.0/24 http-request deny if !ips_allowed frontend fe_https-proxy from http_defaults bind :80 bind :443 ssl strict-sni crt /usr/local/etc/haproxy/certs alpn h2,http/1.1 redirect scheme https code 301 if !{ ssl_fc } http-response set-header Strict-Transport-Security max-age=63072000 use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/hosts.map,be_no-match)] backend be_example.net from http_defaults compression algo gzip compression type text/plain text/css option httpchk http-check send meth HEAD uri /status hdr Host example.net hdr User-Agent "${HEALTH_CHECK_USER_AGENT-HAProxy} health check" server nextcloud-loft example.net:8080 check inter 10s fall 3 rise 3 backend be_no-match from http_defaults http-request deny deny_status 404