# Uses proxy protocol in HAProxy in combination with SNI to preserve the original host address
# Update the config.json to work with HAProxy
# 
# Specify the hostname and port that has the public certificate
# "tlsOffload": "https://mc.publicdomain.com:443",
# 
# Specify the IP address of the HAProxy instance (this might not be the address that is bound to the listener).
# "TrustedProxy": "10.1.1.10",


frontend sni-front
        bind 10.1.1.10:443
        mode tcp
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        default_backend sni-back

backend sni-back
        mode tcp
        acl gitlab-sni req_ssl_sni -i gitlab.publicdomain.com
        acl mc-sni req_ssl_sni -i mc.publicdomain.com
        use-server gitlabSNI if gitlab-sni
        use-server mc-SNI if mc-sni
        server mc-SNI 10.1.1.10:1443 send-proxy-v2-ssl-cn

frontend mc-front-HTTPS
        mode http
        option forwardfor
        bind 10.1.1.10:1443 ssl crt /etc/haproxy/vm.publicdomain.net.pem accept-proxy
        http-request set-header X-Forwarded-Proto https
        option tcpka
        default_backend mc-back-HTTP

backend mc-back-HTTPS
        mode http
        option forwardfor
        http-request add-header X-Forwarded-Host %[req.hdr(Host)]
        option http-server-close
        server mc-01 10.1.1.30:443 check port 443 verify none