# HAProxy configuration for Baserock Project front-end proxy.

global
    maxconn 4000

    daemon
    pidfile /var/run/haproxy.pid
    user haproxy
    group haproxy

    log /dev/log local0
    stats socket /var/lib/haproxy/stats

    # Maximum number of bits used when generating temporary
    # keys for DHE key exchange. Higher values involve more CPU
    # usage, lower values are less secure. HAProxy's default is
    # 1024, which is too low and HAProxy actually warns if you use
    # the default.
    tune.ssl.default-dh-param 2048

    ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

    log global
    option httplog

    # never fail on address resolution
    default-server init-addr last,libc,none

frontend http-in
    # All HTTP traffic is redirected to HTTPS using the '301 Moved' HTTP code.
    bind *:80

    acl host_webhook hdr(host) -m beg -i webhook
    use_backend gitlab_webhook_http if host_webhook

    # Don't redirect if is a webhook. We could generate SSL certs for this
    # host to avoid Gitlab complaining.
    redirect scheme https code 301 if !host_webhook

frontend https-in
    # We do 'SSL termination' with HAProxy. So secure requests are received in
    # the frontend, then decrypted and sent over HTTP on the internal network.
    # This means we only need to have the certificate in one place, and the
    # configuration of the other instances is simpler. It does mean that we
    # need to avoid having any insecure machines in the cloud.
    bind *:443 ssl no-sslv3 crt /etc/ssl/private/baserock.pem
    reqadd X-Forwarded-Proto:\ https

    # Rules below here implement the URL-based forwarding to the
    # appropriate instance. The hdr(host) call means 'extract the
    # first Host header from the HTTP request or response', the '-m beg'
    # switch means 'match against the beginning of it' and the '-i' flag
    # makes the match case-insensitive.
    #
    # See <https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7>
    # for more documentation than you ever dreamed of.

    acl host_irclogs hdr(host) -m beg -i irclogs
    use_backend baserock_webserver_http if host_irclogs

    acl host_paste hdr(host) -m beg -i paste
    use_backend baserock_paste_http if host_paste

    acl host_spec hdr(host) -m beg -i spec
    acl host_spec hdr(host) -m beg -i docs
    use_backend baserock_spec_http if host_spec

    acl host_download hdr(host) -m beg -i download
    use_backend baserock_webserver_http if host_download

    acl host_ostree hdr(host) -m beg -i ostree
    acl host_ostree hdr(host) -m beg -i cache
    use_backend baserock_ostree_http if host_ostree

frontend ssh-in:
    # FIXME: it'd be better if we could limit traffic on port 22200 to
    # ostree.baserock.org. There's no way of knowing from an SSH request
    # which subdomain the user tried to connect to though.
    mode tcp
    bind *:22200
    default_backend baserock_ostree_ssh

    # Uploading artifacts can be slow; need a long timeout.
    timeout client 12h

# Entries here locate each server backend.

backend baserock_spec_http
    # Point to Gitlab pages url. This repository has to have configured
    # alternative domain names in order to make this redirection work.
    # Otherwise Gitlab will just show a 404 page
    server baserock_spec baserock.gitlab.io:80

backend baserock_ostree_http
    server baserock_ostree 10.3.0.12:80

backend baserock_ostree_ssh
    mode tcp
    server baserock_ostree 10.3.0.12:22
    # Uploading artifacts can be slow; need a long timeout.
    timeout client 12h

backend baserock_webserver_http
    server baserock_webserver 10.3.0.13:80

backend baserock_paste_http
    server baserock_paste 10.3.0.13:7777

backend gitlab_webhook_http
    server baserock_gitlab_bot 10.3.0.13:1337