global
    maxconn 4096
    #tune.ssl.default-dh-param 2048

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    #log global
    #log 127.0.0.1 local0 debug
    #option tcplog

# https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
frontend https-in
    mode http
    bind *:443 ssl crt /etc/letsencrypt/haproxy/${NEXTCLOUD_URL}.pem crt /etc/letsencrypt/haproxy/${GOGS_URL}.pem

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/

    use_backend letsencrypt-backend if letsencrypt-acl
    use_backend nextcloud if { ssl_fc_sni ${NEXTCLOUD_URL} }
    use_backend gogs if { ssl_fc_sni ${GOGS_URL} }

    default_backend nextcloud

backend nextcloud
    # http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#option%20http-server-close
    #option http-server-close
    #option forwardfor

    #redirect http to https
    #redirect scheme https if !{ ssl_fc }

    server nextcloud nextcloud:443 maxconn 32 check ssl verify none

backend gogs
    #redirect http to https
    #redirect scheme https if !{ ssl_fc }

    server gogs gogs:2443 maxconn 32 check ssl verify none

frontend http-in
    bind *:80
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    acl is_nextcloud hdr_end(host) -i ${NEXTCLOUD_URL}
    acl is_gogs hdr_end(host) -i ${GOGS_URL}

    use_backend letsencrypt-backend if letsencrypt-acl
    use_backend nextcloud-insecure if is_nextcloud
    use_backend gogs-insecure if is_gogs
    default_backend nextcloud-insecure

backend nextcloud-insecure
    server nextcloud nextcloud:80 maxconn 32

backend gogs-insecure
    server gogs gogs:2080 maxconn 32

# LE Backend
backend letsencrypt-backend
    server letsencrypt 127.0.0.1:8888

#listen admin
#    bind 127.0.0.1:8080
#        stats enable