configpolicy/roles/dch-proxy/templates/haproxy.cfg.j2

{% macro acls() %}
acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
{% endmacro %}

frontend main
    bind :::80

    {{ acls() | indent(4) }}
    tcp-request connection reject if blocklist !allowlist

{% for site in dch_proxy_sites %}
    use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
{% endfor %}
    use_backend kubernetes if internal_net

frontend main-tls
    bind *:443,:::443 v6only
    mode tcp
    option tcplog

    {{ acls() | indent(4) }}
    tcp-request connection reject if blocklist !allowlist
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

{% for site in dch_proxy_sites %}
    use_backend {{ site.backend }}-tls if { req.ssl_sni -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
{% endfor %}
    use_backend kubernetes-tls if internal_net

{% for name, backend in dch_proxy_backends.items() %}

backend {{ name }}
{% if backend.mode|d %}
    mode {{ backend.mode }}
{% endif %}
{% for server in backend.servers %}
    server {{ server.name }} {{ server.host }} {{ server.options }}
{% endfor %}
{% endfor %}