global
	balance roundrobin

frontend http
	bind :80
	bind :443 ssl crt /etc/haproxy/cert.pem
	option forwardfor

	# Test configuration
	#http-request set-header Host domain.local

	# Set environment
	http-request set-var(req.backend)     req.hdr(host),map_str(/etc/haproxy/maps/host.map)
	http-request set-var(req.backend)     base,map_beg(/etc/haproxy/maps/base.map)
	http-request set-var(req.acl)         src,map_ip(/etc/haproxy/maps/acl.map)
	http-request set-var(req.zone)        var(req.backend),map_str(/etc/haproxy/maps/zone.map)
	http-request set-var(req.aclZone)     var(req.acl),concat(/,req.zone)

	# Debug
	#http-request set-var(txn.debug) var(req.varName)
	#log-format "%[var(txn.debug)]"

	# ACL check
	acl allow var(req.aclZone) -f /etc/haproxy/maps/access.map
	http-request deny if !allow

	# HTTPS redirect
	acl https var(req.backend) -f /etc/haproxy/maps/https.map
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	redirect scheme https if !{ ssl_fc } https

	# Backend
	default_backend not-found
	use_backend %[var(req.backend)]

backend not-found
	http-request deny deny_status 400

#+++++++++++++++++++++++++++++++ HTTP backends

{{#each http}}
backend {{name}}
	{{#each ../workers}}
	server {{name}}:{{../port}} {{address}}:{{../port}} check
	{{/each}}
{{/each}}

#+++++++++++++++++++++++++++++++ TCP backends

{{#each tcp}}
listen {{name}}:{{targetPort}}
	bind :{{port}}
	mode tcp
	{{#each ../workers}}
	server {{name}}:{{../port}} {{address}}:{{../port}} check
	{{/each}}
{{/each}}