Brevet/dev/provisioning/ansible/roles/haproxy/templates/haproxy.cfg.j2

frontend http_frontend
  mode {{ frontend_mode }}
	bind *:80
	bind *:443 ssl crt  {{ ssl_crt_path }}/{{ ssl_name }}.pem alpn h2,http/1.1

{% if nc_settings is sameas true %}
	maxconn 20000
	acl url_discovery_dav path /.well-known/caldav /.well-known/carddav
	acl url_discovery_inf path /.well-known/webfinger /.well-known/nodeinfo
	http-request redirect location /remote.php/dav/ code 301 if url_discovery_dav
	http-request redirect location /index.php%[capture.req.uri] code 301 if url_discovery_inf
	http-response set-header Strict-Transport-Security max-age=63072000
{% endif %}
	option forwardfor
	option http-server-close

{% if network_allowed != '' %}
	#Only allow some services to be available internally
	acl network_allowed src {{ network_allowed }}

{% endif %}
	redirect scheme https code 301 if !{ ssl_fc }
	default_backend http_servers

backend http_servers
	mode {{ backend_mode }}
	balance {{ backend_balance_method }}
{% if nc_settings is sameas true %}
	option httpchk HEAD /
	cookie SERVERID insert indirect nocache
	http-check expect rstatus [2-3][0-9][0-9]
	http-response set-header X-Frame-Options SAMEORIGIN
	http-response set-header X-XSS-Protection 1;mode=block
	http-response set-header X-Content-Type-Options nosniff
	default-server check maxconn 5000
{% endif %}

{% if haproxy_backend_servers != '' %}
	server {{ haproxy_backend_servers.name }} {{ haproxy_backend_servers.ip }}
{% endif %}