# This file uses golang text templates (http://golang.org/pkg/text/template/) to
# dynamically configure the haproxy loadbalancer.
global
    daemon
    stats socket /tmp/haproxy
    server-state-file global       
    server-state-base /var/state/haproxy/

{{ if eq .startSyslog "true" }}
    # log using a syslog socket
    log /var/run/haproxy.log.socket local0 info
    log /var/run/haproxy.log.socket local0 notice
{{ end }}

{{ if ne .sslCert "" }}
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    ssl-default-bind-options no-tls-tickets
{{ end }}

defaults
    log global
   
    load-server-state-from-file global
    
    # Enable session redistribution in case of connection failure.
    option redispatch
    
    # Disable logging of null connections (haproxy connections like checks). 
    # This avoids excessive logs from haproxy internals.
    option dontlognull
    
    # Enable HTTP connection closing on the server side.
    option http-server-close

    # Enable insertion of the X-Forwarded-For header to requests sent to 
    # servers and keep client IP address.
    option forwardfor
    
    # Enable HTTP keep-alive from client to server.
    option http-keep-alive

    # Clients should send their full http request in 5s.
    timeout http-request    5s
    
    # Maximum time to wait for a connection attempt to a server to succeed.
    timeout connect         5s

    # Maximum inactivity time on the client side.
    # Applies when the client is expected to acknowledge or send data.
    timeout client          50s

    # Inactivity timeout on the client side for half-closed connections.
    # Applies when the client is expected to acknowledge or send data 
    # while one direction is already shut down.
    timeout client-fin      50s
    
    # Maximum inactivity time on the server side.
    timeout server          50s
    
    # timeout to use with WebSocket and CONNECT
    timeout tunnel          1h
    
    # Maximum allowed time to wait for a new HTTP request to appear.
    timeout http-keep-alive 60s

    # default traffic mode is http
    # mode is overwritten in case of tcp services
    mode http

    # default default_backend. This allows custom default_backend in frontends
    default_backend default-backend

backend default-backend
  server localhost 127.0.0.1:8081

# haproxy stats, required hostport and firewall rules for :1936
listen stats
    bind *:1936
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /

{{ if ne .sslCert "" }}
frontend httpsfrontend
    mode http
    bind :443 ssl {{ .sslCert }} 

    # HSTS (15768000 seconds = 6 months)
    rspadd  Strict-Transport-Security:\ max-age=15768000

{{range $i, $svc := .services.httpsTerm}}
    acl url_acl_{{$svc.Name}} path_beg {{$svc.AclMatch}}
    {{ if $svc.Host }}acl host_acl_{{$svc.Name}} hdr(host) {{$svc.Host}}
    use_backend {{$svc.Name}} if url_acl_{{$svc.Name}} or host_acl_{{$svc.Name}}
    {{ else }}use_backend {{$svc.Name}} if url_acl_{{$svc.Name}}
{{ end }}
{{end}}
{{end}}


frontend httpfrontend
    # Frontend bound on all network interfaces on port 80
    bind *:80

    # inherit default mode, needs changing for tcp
    # forward everything meant for /foo to the foo backend
    # default_backend foo
    # in case of host header routing it will add a new acl and use an or
    # condition to determine the backend to be used
    # the style of if/else blocks is meant to preserves the format of the output config file
{{range $i, $svc := .services.http}}
    acl url_acl_{{$svc.Name}} path_beg /{{$svc.Name}}
    {{ if $svc.Host }}acl host_acl_{{$svc.Name}} hdr(host) {{$svc.Host}}
    use_backend {{$svc.Name}} if url_acl_{{$svc.Name}} or host_acl_{{$svc.Name}}
    {{ else }}use_backend {{$svc.Name}} if url_acl_{{$svc.Name}}
{{ end }}
{{end}}

{{range $i, $svc := .services.http}}
{{ $svcName := $svc.Name }}
backend {{$svc.Name}}
    option  httplog
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

    balance {{$svc.Algorithm}}
    # TODO: Make the path used to access a service customizable.
    reqrep ^([^\ :]*)\ /{{$svc.Name}}[/]?(.*) \1\ /\2
{{if and $svc.SessionAffinity (not $svc.CookieStickySession)}}
    # create a stickiness table using client IP address as key
    # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#stick-table
    stick-table type ip size 100k expire 30m
    stick on src
    {{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} check port {{$svc.BackendPort}} inter 5
    {{end}}
{{end}}
{{if and $svc.SessionAffinity $svc.CookieStickySession}}
    # insert a cookie with name SERVERID to stick a client with a backend server
    # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-cookie
    cookie SERVERID insert indirect nocache
    {{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} cookie s{{$j}} check port {{$svc.BackendPort}} inter 5
    {{end}}
{{end}}
{{if and (not $svc.SessionAffinity) (not $svc.CookieStickySession)}}
    {{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} check port {{$svc.BackendPort}} inter 5
    {{end}}
{{end}}
{{end}}

{{range $i, $svc := .services.httpsTerm}}
{{ $svcName := $svc.Name }}
backend {{$svc.Name}}
    option  httplog
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

    balance {{$svc.Algorithm}}
    # TODO: Make the path used to access a service customizable.
    reqrep ^([^\ :]*)\ /{{$svc.Name}}[/]?(.*) \1\ /\2
{{if and $svc.SessionAffinity (not $svc.CookieStickySession)}}
    # create a stickiness table using client IP address as key
    # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#stick-table
    stick-table type ip size 100k expire 30m
    stick on src
    {{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} check port {{$svc.BackendPort}} inter 5
    {{end}}
{{end}}
{{if and $svc.SessionAffinity $svc.CookieStickySession}}
    # insert a cookie with name SERVERID to stick a client with a backend server
    # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-cookie
    cookie SERVERID insert indirect nocache
    {{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} cookie s{{$j}} check port {{$svc.BackendPort}} inter 5
    {{end}}
{{end}}
{{if and (not $svc.SessionAffinity) (not $svc.CookieStickySession)}}
    {{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}} check port {{$svc.BackendPort}} inter 5
    {{end}}
{{end}}
{{end}}

{{range $i, $svc := .services.tcp}}
{{ $svcName := $svc.Name }}
frontend {{$svc.Name}}
    bind *:{{$svc.FrontendPort}}
    mode tcp
    default_backend {{$svc.Name}}

backend {{$svc.Name}}
    balance {{$svc.Algorithm}}
    mode tcp
{{if $svc.SessionAffinity}}
    # create a stickiness table using client IP address as key
    # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#stick-table
    stick-table type ip size 100k expire 30m
    stick on src    
{{end}}
    {{range $j, $ep := $svc.Ep}}server {{$ep}} {{$ep}}
    {{end}}
{{end}}