frontend http
    bind *:80

    acl acme_challenge path_beg /.well-known/acme-challenge

    # Proxy ACME challenge requests to Lego
    use_backend lego if acme_challenge
    #default_backend web


# Lego listens on port 5000 when it is requresting a certificate via
# ACME.  Only one DC can be requesting a certificate at a time, or
# requests may be forwarded to the wrong machine.
#
# It is imperative that the `check` option is NOT enabled for any
# server/template in this back-end, or challenge requests may get lost
# if they are initiated between HAProxy health check intervals.
backend lego
    balance roundrobin
    server-template dc {{ groups["samba-dc"] | length  + 3 }} {{ krb5_realm|lower }}:5000 resolvers local init-addr none
    retries 10
    option redispatch
    retry-on all-retryable-errors 404


# Although there is not currently a use case for it, it is possible to run a
# web server on the apex domain, but it has to listen on an alternate port.
#backend web
#    balance roundrobin
#    server-template dc 5 {{ krb5_realm|lower }}:8080 resolvers local init-addr none