global log /dev/log local0 log /dev/log local1 notice chroot /var

1. global
2.    log /dev/log local0  
3.    log /dev/log local1 notice
4.    chroot /var/lib/haproxy
5.    stats socket /run/haproxy/admin.sock mode 660 level admin
6.    stats timeout 30s
7.    user haproxy
8.    group haproxy
9.    daemon
10.  
11.    ca-base /etc/ssl/certs # Set to the appropriate path for your distro
12.    crt-base /etc/ssl/private # Set to the appropriate path for your distro
13.  
14.    ssl-dh-param-file /etc/ssl/certs/dhparam.pem # Set to the appropriate path for your distro. Make sure it's 2048 bits for A+ SSL. Generate with 'openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048'
15.  
16.    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS # LEAVE AS IS for A+ SSL that works with cli_wallet
17.  
18.    ssl-default-bind-options no-sslv3    no-tls-tickets # LEAVE AS IS for A+ SSL that works with cli_wallet
19.  
20.    ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS # LEAVE AS IS for A+ SSL that works with cli_wallet
21.  
22.    ssl-default-server-options no-sslv3   no-tls-tickets # LEAVE AS IS for A+ SSL that works with cli_wallet
23.  
24.    nbproc 2
25.  
26. defaults
27.     log     global
28.     mode    http
29.     option  httplog
30.     retries 3
31.     backlog 10000
32.     errorfile 400 /etc/haproxy/errors/400.http
33.     errorfile 403 /etc/haproxy/errors/403.http
34.     errorfile 408 /etc/haproxy/errors/408.http
35.     errorfile 500 /etc/haproxy/errors/500.http
36.     errorfile 502 /etc/haproxy/errors/502.http
37.     errorfile 503 /etc/haproxy/errors/503.http
38.     errorfile 504 /etc/haproxy/errors/504.http
39.  
40.    option dontlognull
41.    no option http-server-close
42.    option contstats
43.    option forwardfor
44.    option redispatch
45.    option httpchk
46.    timeout client          25s
47.    timeout connect          5s
48.    timeout server          25s
49.    timeout tunnel          60s
50.    default-server inter 3s rise 2 fall 3
51.    maxconn 2000
52.  
53. frontend nodes_front
54.    bind *:443 ssl strict-sni  crt /etc/ssl/host.my-node-domain.com/host.my-node-domain.com.pem  # Replace with your SSL certificate PEM file. See https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04
55.    http-response set-header Strict-Transport-Security max-age=15768000 # For A+ SSL
56.    acl is_bsi_node            hdr_end(host)    -i host.my-node-domain.com
57.    acl hdr_connection_upgrade hdr(Connection)  -i upgrade
58.    acl hdr_upgrade_websocket  hdr(Upgrade)     -i websocket
59.    acl is_bsi_certbot path_beg -i /.well-known/acme-challenge
60.    redirect scheme https code 301 if !{ ssl_fc } !is_bsi_certbot
61.    use_backend bsi_certbot if is_bsi_certbot
62.    use_backend bsi_node if is_bsi_node
63.    stats enable # Enable haproxy statistics
64.    stats hide-version
65.    stats uri /stats  # Available under https://host.my-node-domain.com/stats
66.    stats refresh 10s
67. frontend nodes_front_http
68.    bind *:80
69.    mode http
70.    option httplog
71.    acl is_bsi_certbot path_beg -i /.well-known/acme-challenge
72.    redirect scheme https code 301 if !{ ssl_fc } !is_bsi_certbot
73.    use_backend bsi_certbot if is_bsi_certbot
74. backend bsi_certbot
75.    log global
76.    mode http
77.    server certbot localhost:7443
78. backend bsi_node
79.    balance roundrobin
80.    option httpchk GET / HTTP/1.1
81.    server host1 x.x.x.x:8090 maxconn 500 weight 10 check port 8095
82.    server host2 x.x.x.x:8090 maxconn 500 weight 10 check port 8095
83.    server host3 x.x.x.x:8090 maxconn 500 weight 10 check port 8095