haproxy.cfg

global
	log	127.0.0.1 local2  # Send logs to address and channel, picked up by rsyslog via UDP
	maxconn	10000         # Max number of concurrent connections for one process
	user root             # After starting, haproxy drops down to the user specified here
	group root            # After starting, haproxy drops down to the group specified here
	daemon                # Fork process into background (equivalent to command line -D option)

defaults
	mode http                  # Mode http analyzes http in depth, tcp is also possible, which analyzes on layer 4 instead of layer 7
	log global                 # log global makes logging in this instance the same as the global setting
	option httplog             # Enrich logging of http requests
	retries 3                  # Retries to a server after a connection failure (connection attempts only)
	backlog 10000              # If not set, defaults to frontend value which defaults to maxconn value
    option forwardfor          # Add x-forwarded-for header
    option http-server-close   # Enable http close mode on server side, while keeping ability to support http keep-alive and pipelining on client side
	timeout	connect 5s         # Maximum wait time to connect to a server
	timeout	client 30s         # Maximum inactivity time on the client side (when client is expected to ack or send data)
	timeout	server 30s         # Maximum inactivity time on the server side (when server is expected to ack or send data. Recommended to keep equal to timeout client)
	timeout	tunnel 3600s       # Timeout for bidirectional tunnels, e.g. websockets
	timeout client-fin 30s     # Timeout for bidirectional connections when one side is shut down. Useful for websockets when client doesnt disconnect cleanly
	timeout	http-request 15s   # Maximum time to wait for a complete http request (prevents attacks where nothing is sent, but connection is kept open)
	timeout	http-keep-alive 1s # How long to wait for new http request once response has been sent.

# Listen for https requests on port 443
frontend frontend-https
	bind *:443 ssl crt /etc/pki/tls/private/dummycert.pem  # Listen to port 443, and decrypt using the given pem file (cert + key)
	reqadd X-Forwarded-Proto:\ https                       # Add forward header telling the backend that it's a secure connection even though it receives plain text
	acl is_websocket hdr(Upgrade) -i WebSocket             # Check for websockets
	use_backend	backend-websocket if is_websocket          # Redirect to other backend if websockets
	default_backend	backend-http

backend backend-websocket
	server ws-1 127.0.0.1:8080

backend backend-http
	server www-1 127.0.0.1:80