global
    lua-prepend-path /usr/local/etc/haproxy/?/http.lua
    lua-load /usr/local/etc/haproxy/auth-request.lua
    log stdout format raw local0 debug
	maxconn 2000

defaults
    default-server init-addr none
    mode http
	timeout connect 5000ms
	timeout client 50000ms
	timeout server 50000ms
    log global
    option forwardfor
    option httplog
    option httpchk
    http-check expect rstatus ^2

resolvers docker
    nameserver ip 127.0.0.11:53

frontend fe_api
    bind *:8081 ssl crt /pki/private.chain.pem

    stats enable
    stats uri /api
    stats refresh 10s
    stats admin if LOCALHOST

frontend fe_http
    bind *:8080 ssl crt /pki/private.chain.pem

    acl api-path path_beg -i /api
	acl devworkflow-path path -i -m end /devworkflow
    acl headers-path path -i -m end /headers
	acl jwks-path path -i -m end /jwks.json
	acl locales-path path_beg -i /locales
	acl wellknown-path path_beg -i /.well-known
    acl host-authelia-portal hdr(host) -i login.example.com:8080
    acl protected-frontends hdr(host) -m reg -i ^(?i)(admin|home|public|secure|singlefactor)\.example\.com

    http-request set-var(req.scheme) str(https) if { ssl_fc }
    http-request set-var(req.scheme) str(http) if !{ ssl_fc }
    http-request set-var(req.questionmark) str(?) if { query -m found }

    http-request set-header X-Real-IP %[src]
    http-request set-header X-Forwarded-Method %[method]
    http-request set-header X-Forwarded-Proto  %[var(req.scheme)]
    http-request set-header X-Forwarded-Host   %[req.hdr(Host)]
    http-request set-header X-Forwarded-URI    %[path]%[var(req.questionmark)]%[query]

    # be_auth_request is used to make HAProxy do the TLS termination since the Lua script
    # does not know how to handle it (see https://github.com/TimWolla/haproxy-auth-request/issues/12).
    http-request lua.auth-intercept be_auth_request /api/authz/forward-auth HEAD * authorization,proxy-authorization,remote_user,remote-user,remote-groups,remote-name,remote-email - if protected-frontends
    http-request redirect location %[var(txn.auth_response_location)] if protected-frontends !{ var(txn.auth_response_successful) -m bool }

    use_backend be_authelia if host-authelia-portal api-path || devworkflow-path || jwks-path || locales-path || wellknown-path
    use_backend fe_authelia if host-authelia-portal !api-path
    use_backend be_httpbin if protected-frontends headers-path
    use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
    use_backend be_protected if protected-frontends

backend be_auth_request
    server proxy 127.0.0.1:8085

listen be_auth_request_proxy
    bind 127.0.0.1:8085
    server authelia-backend authelia-backend:9091 resolvers docker ssl verify none

backend be_authelia
    server authelia-backend authelia-backend:9091 resolvers docker ssl verify none

backend fe_authelia
	option httpchk
	http-check expect rstatus ^2

    server authelia-frontend authelia-frontend:3000 check resolvers docker
    server authelia-backend authelia-backend:9091 check backup resolvers docker ssl verify none

backend be_httpbin
    ## Pass the Set-Cookie response headers to the user.
    acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
    http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist

    server httpbin-backend httpbin:8000 resolvers docker

backend be_mail
    server smtp-backend smtp:1080 resolvers docker

backend be_protected
    ## Pass the Set-Cookie response headers to the user.
    acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
    http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist

    server nginx-backend nginx-backend:80 resolvers docker