images/router/haproxy/conf/haproxy-config.template

{{/*
    haproxy-config.cfg: contains the main config with helper backends that are used to terminate
    					encryption before finally sending to a host_be which is the backend that is the final
    					backend for a route and contains all the endpoints for the service
*/}}
{{ define "/var/lib/haproxy/conf/haproxy.config" }}
{{ $workingDir := .WorkingDir }}
global
  maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}}

  daemon
{{ with (env "ROUTER_SYSLOG_ADDRESS" "") }}
  log {{.}} {{env "ROUTER_LOG_FACILITY" "local1"}} {{env "ROUTER_LOG_LEVEL" "warning"}}
{{ end}}
  ca-base /etc/ssl
  crt-base /etc/ssl
  stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin
  stats timeout 2m

  # Prevent vulnerability to POODLE attacks
  # TODO: use when 1.5.14 is available
  # ssl-default-bind-options no-sslv3

  # Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS
  # tune.ssl.default-dh-param 2048
  # ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

  # Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

  # Old cipher suite (maximum compatibility but insecure) from https://wiki.mozilla.org/Security/Server_Side_TLS
  # tune.ssl.default-dh-param 1024
  # ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

defaults
  maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}}

  # Add x-forwarded-for header.
{{ if ne (env "ROUTER_SYSLOG_ADDRESS" "") ""}}
  option httplog
  log global
{{ end }}

  # To configure custom default errors, you can either uncomment the
  # line below (server ... 127.0.0.1:8080) and point it to your custom
  # backend service or alternatively, you can send a custom 503 error.
  #server openshift_backend 127.0.0.1:8080
  errorfile 503 /var/lib/haproxy/conf/error-page-503.http

{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_DEFAULT_CONNECT_TIMEOUT" "")) }}
  timeout connect {{env "ROUTER_DEFAULT_CONNECT_TIMEOUT" "5s"}}
{{ else }}
  timeout connect 5s
{{ end }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_DEFAULT_CLIENT_TIMEOUT" "")) }}
  timeout client {{env "ROUTER_DEFAULT_CLIENT_TIMEOUT" "30s"}}
{{ else }}
  timeout client 30s
{{ end }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_DEFAULT_SERVER_TIMEOUT" "")) }}
  timeout server {{env "ROUTER_DEFAULT_SERVER_TIMEOUT" "30s"}}
{{ else }}
  timeout server 30s
{{ end }}
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_TIMEOUT" "")) }}
  timeout http-request {{env "ROUTER_SLOWLORIS_TIMEOUT" "10s" }}
{{ else }}
  timeout http-request 10s
{{ end }}

  # Long timeout for WebSocket connections.
{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_DEFAULT_TUNNEL_TIMEOUT" "")) }}
  timeout tunnel {{env "ROUTER_DEFAULT_TUNNEL_TIMEOUT" "1h" }}
{{ else }}
  timeout tunnel 1h
{{ end }}

{{ if (matchPattern "true|TRUE" (env "ROUTER_ENABLE_COMPRESSION" "false")) }}
  compression algo gzip
  {{ with  $mimeType := (env "ROUTER_COMPRESSION_MIME" "text/html text/plain text/css") }}  
  compression type {{$mimeType}}  
  {{end}}
{{end}}

{{ if (gt .StatsPort 0) }}
listen stats :{{.StatsPort}}
{{ else }}
listen stats :1936
{{ end }}
    mode http
    # Health check monitoring uri.
    monitor-uri /healthz

{{ if and (and (ne .StatsUser "") (ne .StatsPassword "")) (gt .StatsPort 0) }}
    # Add your custom health check monitoring failure condition here.
    # monitor fail if <condition>
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth {{.StatsUser}}:{{.StatsPassword}}
{{ end }}

{{ if .BindPorts }}
frontend public
  bind :{{env "ROUTER_SERVICE_HTTP_PORT" "80"}}{{ if matchPattern "true|TRUE" (env "ROUTER_USE_PROXY_PROTOCOL" "") }} accept-proxy{{ end }}
  mode http
  tcp-request inspect-delay 5s
  tcp-request content accept if HTTP

  # check if we need to redirect/force using https.
  acl secure_redirect base,map_reg(/var/lib/haproxy/conf/os_route_http_redirect.map) -m found
  redirect scheme https if secure_redirect

  # Check if it is an edge or reencrypt route exposed insecurely.
  acl route_http_expose base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map) -m found
  use_backend %[base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map)] if route_http_expose

  # map to http backend
  # Search from most specific to general path (host case).
  # Note: If no match, haproxy uses the default_backend, no other
  #       use_backend directives below this will be processed.
  use_backend be_http_%[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)]

  default_backend openshift_default

# public ssl accepts all connections and isn't checking certificates yet certificates to use will be
# determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend
# that terminates encryption in this router (edge)
frontend public_ssl
  bind :{{env "ROUTER_SERVICE_HTTPS_PORT" "443"}}{{ if matchPattern "true|TRUE" (env "ROUTER_USE_PROXY_PROTOCOL" "") }} accept-proxy{{ end }}
  tcp-request  inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend
  acl sni req.ssl_sni -m found
  acl sni_passthrough req.ssl_sni,map_reg(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found
  use_backend be_tcp_%[req.ssl_sni,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough

  # if the route is SNI and NOT passthrough enter the termination flow
  use_backend be_sni if sni

  # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it
  # will not be able to match a cert to an SNI host
  default_backend be_no_sni

##########################################################################
# TLS SNI
#
# When using SNI we can terminate encryption with custom certificates.
# Certs will be stored in a directory and will be matched with the SNI host header
# which must exist in the CN of the certificate.  Certificates must be concatenated
# as a single file (handled by the plugin writer) per the haproxy documentation.
#
# Finally, check re-encryption settings and re-encrypt or just pass along the unencrypted
# traffic
##########################################################################
backend be_sni
  server fe_sni 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} weight 1 send-proxy

frontend fe_sni
  # terminate ssl on edge
  bind 127.0.0.1:{{env "ROUTER_SERVICE_SNI_PORT" "10444"}} ssl no-sslv3 {{ if gt (len .DefaultCertificate) 0 }}crt {{.DefaultCertificate}}{{ else }}crt /var/lib/haproxy/conf/default_pub_keys.pem{{ end }} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
  mode http

  # check re-encrypt backends first - from most specific to general path.
  acl reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found

  # Search from most specific to general path (host case).
  use_backend be_secure_%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt

  # map to http backend
  # Search from most specific to general path (host case).
  # Note: If no match, haproxy uses the default_backend, no other
  #       use_backend directives below this will be processed.
  use_backend be_edge_http_%[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)]

  default_backend openshift_default

##########################################################################
# END TLS SNI
##########################################################################

##########################################################################
# TLS NO SNI
#
# When we don't have SNI the only thing we can try to do is terminate the encryption
# using our wild card certificate.  Once that is complete we can either re-encrypt
# the traffic or pass it on to the backends
##########################################################################
# backend for when sni does not exist, or ssl term needs to happen on the edge
backend be_no_sni
  server fe_no_sni 127.0.0.1:{{env "ROUTER_SERVICE_NO_SNI_PORT" "10443"}} weight 1 send-proxy

frontend fe_no_sni
  # terminate ssl on edge
  bind 127.0.0.1:{{env "ROUTER_SERVICE_NO_SNI_PORT" "10443"}} ssl no-sslv3 {{ if gt (len .DefaultCertificate) 0 }}crt {{.DefaultCertificate}}{{ else }}crt /var/lib/haproxy/conf/default_pub_keys.pem{{ end }} accept-proxy
  mode http

  # check re-encrypt backends first - path or host based.
  acl reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found

  # Search from most specific to general path (host case).
  use_backend be_secure_%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt

  # map to http backend
  # Search from most specific to general path (host case).
  # Note: If no match, haproxy uses the default_backend, no other
  #       use_backend directives below this will be processed.
  use_backend be_edge_http_%[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)]

  default_backend openshift_default

##########################################################################
# END TLS NO SNI
##########################################################################

backend openshift_default
  mode http
  option forwardfor
  #option http-keep-alive
  option http-pretend-keepalive

##-------------- app level backends ----------------
{{/*
       1. If termination is not set: This is plain http -> http.  Create a be_http_<service> backend.
          Incoming http traffic is terminated and sent as http to the pods.

       2. If termination is type 'edge': This is https -> http.  Create a be_edge_http_<service> backend.
          Incoming https traffic is terminated and sent as http to the pods.

       3. If termination is type 'reencrypt': This is https -> https.  Create a be_secure_<service> backend.
          Incoming https traffic is terminated and then sent as https to the pods.

       4. If termination is type 'passthrough': This is https (or any SNI TLS connection) passthrough.
          Create a be_tcp_<service> backend.
          Incoming traffic is inspected to get the hostname from the SNI header, but then all traffic is
          passed through to the backend pod by just looking at the TCP headers.
*/}}
{{ range $cfgIdx, $cfg := .State }}
  {{ if or (eq $cfg.TLSTermination "") (eq $cfg.TLSTermination "edge") }}
    {{ if (eq $cfg.TLSTermination "") }}
# Plain http backend
backend be_http_{{$cfgIdx}}
    {{ else }}
# Plain http backend but request is TLS, terminated at edge
backend be_edge_http_{{$cfgIdx}}
    {{ end }}
  mode http
  option redispatch
  option forwardfor
    {{ with $balanceAlgo := index $cfg.Annotations "haproxy.router.openshift.io/balance" }}
      {{ with $matchValue := (matchValues $balanceAlgo "roundrobin" "leastconn" "source" ) }}
  balance {{ $balanceAlgo }}
      {{ end }}
    {{ else }}
      {{ if (matchPattern "roundrobin|leastconn|source" (env "ROUTER_LOAD_BALANCE_ALGORITHM" "")) }}
  balance {{ env "ROUTER_LOAD_BALANCE_ALGORITHM" "leastconn"}}
      {{ else }}
  balance {{ if gt $cfg.ActiveServiceUnits 1 }}roundrobin{{ else }}leastconn{{ end }}
      {{ end }}
    {{ end }}
    {{ with $value := index $cfg.Annotations "haproxy.router.openshift.io/timeout"}}
      {{if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $value) }}
  timeout server  {{$value}}
      {{ end }}
    {{ end }}

{{ if matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections") }}
  stick-table type ip size 100k expire 30s store conn_cur,conn_rate(3s),http_req_rate(10s)
  tcp-request content track-sc2 src
  {{ if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp")) }} 
  tcp-request content reject if { src_conn_cur ge  {{ index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp" }} }
  {{ else }}
  # concurrent TCP connections not restricted
  {{ end }}

  {{ if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-tcp")) }} 
  tcp-request content reject if { src_conn_rate ge {{ index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-tcp" }} }
  {{ else }}
  #TCP connection rate not restricted
  {{ end }}

  {{ if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-http")) }} 
  tcp-request content reject if { src_http_req_rate ge {{ index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-http" }} }
  {{ else }}
  #HTTP request rate not restricted
  {{ end }}
{{ end }}

  timeout check 5000ms
  http-request set-header X-Forwarded-Host %[req.hdr(host)]
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  {{ if not (matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/disable_cookies")) }}
    {{ if and (eq $cfg.TLSTermination "edge") (ne $cfg.InsecureEdgeTerminationPolicy "Allow") }}
  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
    {{ else }}
  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly
    {{ end }}
  {{ end }}
  http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
    {{ range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
      {{ if ne $weight 0 }}
        {{ with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
          {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
            {{ if $endpoint.NoHealthCheck }}
              server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} cookie {{$endpoint.IdHash}} weight {{$weight}}
            {{ else }}
              {{ with $healthIntv := index $cfg.Annotations "router.openshift.io/haproxy.health.check.interval" }}
                {{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $healthIntv) }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter {{$healthIntv}} cookie {{$endpoint.IdHash}} weight {{$weight}}
                {{ else }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IdHash}} weight {{$weight}}
                {{ end }}
              {{ else }}
                {{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_BACKEND_CHECK_INTERVAL" "")) }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter {{env "ROUTER_BACKEND_CHECK_INTERVAL" "5000ms"}} cookie {{$endpoint.IdHash}} weight {{$weight}}
                {{ else }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IdHash}} weight {{$weight}}
                {{ end }}
              {{ end }}
            {{ end }}
          {{ end }}
        {{ end }}
      {{ end }}{{/* end if weight != 0 */}}
    {{ end }}{{/* end iterate over services */}}
  {{ end }}{{/* end if tls==edge/none */}}

  {{ if eq $cfg.TLSTermination "passthrough" }}
# Secure backend, pass through
backend be_tcp_{{$cfgIdx}}
{{ if ne (env "ROUTER_SYSLOG_ADDRESS" "") ""}}
  option tcplog
{{ end }}
    {{ with $balanceAlgo := index $cfg.Annotations "haproxy.router.openshift.io/balance" }}
      {{ with $matchValue := (matchValues $balanceAlgo "roundrobin" "leastconn" "source" ) }}
  balance {{ $balanceAlgo }}
      {{ end }}
    {{ else }}
      {{ if (matchPattern "roundrobin|leastconn|source" (env "ROUTER_TCP_BALANCE_SCHEME" "")) }}
  balance {{ env "ROUTER_TCP_BALANCE_SCHEME" "source"}}
      {{ else }}
  balance {{ if gt $cfg.ActiveServiceUnits 1 }}roundrobin{{ else }}source{{ end }}
      {{ end }}
    {{ end }}
    {{ with $value := index $cfg.Annotations "haproxy.router.openshift.io/timeout"}}
      {{if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $value) }}
  timeout tunnel  {{$value}}
      {{ end }}
    {{ end }}

{{ if matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections") }}
  stick-table type ip size 100k expire 30s store conn_cur,conn_rate(3s),http_req_rate(10s)
  tcp-request content track-sc2 src
  {{ if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp")) }}
  tcp-request content reject if { src_conn_cur ge  {{ index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp" }} }
  {{ else }}
  # concurrent TCP connections not restricted
  {{ end }}

  {{ if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-tcp")) }}
  tcp-request content reject if { src_conn_rate ge {{ index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-tcp" }} }
  {{ else }}
  #TCP connection rate not restricted
  {{ end }}
{{ end }}

  hash-type consistent
  timeout check 5000ms
    {{ range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
      {{ if ne $weight 0 }}
        {{ with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
          {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
            {{ if $endpoint.NoHealthCheck }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} weight {{$weight}}
            {{ else }}
              {{ with $healthIntv := index $cfg.Annotations "router.openshift.io/haproxy.health.check.interval" }}
                {{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $healthIntv) }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter {{$healthIntv}} weight {{$weight}}
                {{ else }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms weight {{$weight}}
                {{ end }}
              {{ else }}
                {{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_BACKEND_CHECK_INTERVAL" "")) }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter {{env "ROUTER_BACKEND_CHECK_INTERVAL" "5000ms"}} weight {{$weight}}
                {{ else }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms weight {{$weight}}
                {{ end }}
              {{ end }}
            {{ end }}
          {{ end }}{{/* end range endpointsForAlias */}}
        {{ end }}{{/* end get ServiceUnit from serviceUnitName */}}
      {{ end }}{{/* end if weight != 0 */}}
    {{ end }}{{/* end iterate over services*/}}
  {{ end }}{{/*end tls==passthrough*/}}

  {{ if eq $cfg.TLSTermination "reencrypt" }}
# Secure backend which requires re-encryption
backend be_secure_{{$cfgIdx}}
  mode http
  option redispatch
    {{ with $balanceAlgo := index $cfg.Annotations "haproxy.router.openshift.io/balance" }}
      {{ with $matchValue := (matchValues $balanceAlgo "roundrobin" "leastconn" "source" ) }}
  balance {{ $balanceAlgo }}
      {{ end }}
    {{ else }}
      {{ if (matchPattern "roundrobin|leastconn|source" (env "ROUTER_LOAD_BALANCE_ALGORITHM" "")) }}
  balance {{ env "ROUTER_LOAD_BALANCE_ALGORITHM" "leastconn"}}
      {{ else }}
  balance {{ if gt $cfg.ActiveServiceUnits 1 }}roundrobin{{ else }}leastconn{{ end }}
      {{ end }}
    {{ end }}
    {{ with $value := index $cfg.Annotations "haproxy.router.openshift.io/timeout"}}
      {{if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $value) }}
  timeout server  {{$value}}
      {{ end }}
    {{ end }}

{{ if matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections") }}
  stick-table type ip size 100k expire 30s store conn_cur,conn_rate(3s),http_req_rate(10s)
  tcp-request content track-sc2 src
  {{ if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp")) }}
  tcp-request content reject if { src_conn_cur ge  {{ index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp" }} }
  {{ else }}
  # concurrent TCP connections not restricted
  {{ end }}

  {{ if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-tcp")) }}
  tcp-request content reject if { src_conn_rate ge {{ index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-tcp" }} }
  {{ else }}
  #TCP connection rate not restricted
  {{ end }}

  {{ if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-http")) }}
  tcp-request content reject if { src_http_req_rate ge {{ index $cfg.Annotations "haproxy.router.openshift.io/rate-limit-connections.rate-http" }} }
  {{ else }}
  #HTTP request rate not restricted
  {{ end }}
{{ end }}

  timeout check 5000ms
  http-request set-header X-Forwarded-Host %[req.hdr(host)]
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
  {{ if not (matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/disable_cookies")) }}
    {{ if ne $cfg.InsecureEdgeTerminationPolicy "Allow" }}
  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
    {{ else }}
  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly
    {{ end }}
  {{ end }}
    {{ range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
      {{ if ne $weight 0 }}
        {{ with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
          {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
            {{ if $endpoint.NoHealthCheck }}
  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IdHash}} weight {{$weight}}
            {{ else }}
              {{ with $healthIntv := index $cfg.Annotations "router.openshift.io/haproxy.health.check.interval" }}
                {{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" $healthIntv) }}
    server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter {{$healthIntv}} verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IdHash}} weight {{$weight}}
                {{ else }}
    server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{$workingDir}}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IdHash}} weight {{$weight}}
                {{ end }}
              {{ else }}
                {{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_BACKEND_CHECK_INTERVAL" "")) }}
    server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter {{env "ROUTER_BACKEND_CHECK_INTERVAL" "5000ms"}} verify required ca-file {{$workingDir}}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IdHash}} weight {{$weight}}
                {{ else }}
    server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{$workingDir}}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IdHash}} weight {{$weight}}
                {{ end }}
              {{ end }}{{/* end get health interval annotation */}}
            {{ end }}{{/* end else no health check */}}
          {{ end }}{{/* end range endpointsForAlias */}}
        {{ end }}{{/* end get serviceUnit from its name */}}
      {{ end }}{{/* end if weight != 0 */}}
    {{ end }}{{/* end range over serviceUnitNames */}}
  {{ end }}{{/* end tls==reencrypt */}}
{{ end }}{{/* end loop over routes */}}
{{ else }}
# Avoiding binding ports until routing configuration has been synchronized.
{{ end }}{{/* end bind ports after sync */}}
{{ end }}{{/* end haproxy config template */}}

{{/*--------------------------------- END OF HAPROXY CONFIG, BELOW ARE MAPPING FILES ------------------------*/}}
{{/*
    os_wildcard_domain.map: contains a mapping of wildcard hosts for a
			[sub]domain regexps. This map is used to check if
			a host matches a [sub]domain with has wildcard support.
*/}}
{{ define "/var/lib/haproxy/conf/os_wildcard_domain.map" }}
{{     if matchPattern "true|TRUE" (env "ROUTER_ALLOW_WILDCARD_ROUTES" "")}}
{{       range $idx, $cfg := .State }}
{{         if ne $cfg.Host ""}}
{{           if $cfg.IsWildcard }}
{{generateRouteRegexp $cfg.Host "" true}} 1
{{           end }}
{{         end }}
{{       end }}
{{     end }}{{/* end if router allows wildcard routes */}}
{{ end }}{{/* end wildcard domain map template */}}

{{/*
    os_http_be.map: contains a mapping of www.example.com -> <service name>.  This map is used to discover the correct backend
                        by attaching a prefix (be_http_) by use_backend statements if acls are matched.
*/}}
{{ define "/var/lib/haproxy/conf/os_http_be.map" }}
{{     range $idx, $cfg := .State }}
{{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "")}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
{{       end }}
{{     end }}
{{ end }}{{/* end http host map template */}}

{{/*
    os_edge_http_be.map: same as os_http_be.map but allows us to separate tls from non-tls routes to ensure we don't expose
                            a tls only route on the unsecure port
*/}}
{{ define "/var/lib/haproxy/conf/os_edge_http_be.map" }}
{{     range $idx, $cfg := .State }}
{{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "edge")}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
{{       end }}
{{     end }}
{{ end }}{{/* end edge http host map template */}}

{{/*
    os_route_http_expose.map: contains a mapping of www.example.com -> <service name>.
    Map is used to also expose edge terminated and reencrypt routes via an insecure scheme
    (http) if acls match for routes with insecure option set to expose.
*/}}
{{ define "/var/lib/haproxy/conf/os_route_http_expose.map" }}
{{     range $idx, $cfg := .State }}
{{       if and (ne $cfg.Host "") (and (or (eq $cfg.TLSTermination "edge") (eq $cfg.TLSTermination "reencrypt")) (eq $cfg.InsecureEdgeTerminationPolicy "Allow"))}}
{{         if (eq $cfg.TLSTermination "edge") }}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_edge_http_{{$idx}}
{{         else }}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_secure_{{$idx}}
{{         end }}
{{       end }}
{{     end }}
{{ end }}{{/* end edge and reencrypt expose http host map template */}}

{{/*
    os_route_http_redirect.map: contains a mapping of www.example.com -> <service name>.
    Map is used to redirect insecure traffic to use a secure scheme (https)
    if acls match for routes that have the insecure option set to redirect.
*/}}
{{ define "/var/lib/haproxy/conf/os_route_http_redirect.map" }}
{{     range $idx, $cfg := .State }}
{{       if and (ne $cfg.Host "") (eq $cfg.InsecureEdgeTerminationPolicy "Redirect")}}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
{{       end }}
{{     end }}
{{ end }}{{/* end redirect http host map template */}}


{{/*
    os_tcp_be.map: contains a mapping of www.example.com -> <service name>.  This map is used to discover the correct backend
                        by attaching a prefix (be_tcp_ or be_secure_) by use_backend statements if acls are matched.
*/}}
{{ define "/var/lib/haproxy/conf/os_tcp_be.map" }}
{{     range $idx, $cfg := .State }}
{{       if and (eq $cfg.Path "") (and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "passthrough") (eq $cfg.TLSTermination "reencrypt"))) }}
{{generateRouteRegexp $cfg.Host "" $cfg.IsWildcard}} {{$idx}}
{{       end }}
{{     end }}
{{ end }}{{/* end tcp host map template */}}

{{/*
    os_sni_passthrough.map: contains a mapping of routes that expect to have an sni header and should be passed
    					through to the host_be.  Driven by the termination type of the ServiceAliasConfigs
*/}}
{{ define "/var/lib/haproxy/conf/os_sni_passthrough.map" }}
{{     range $idx, $cfg := .State }}
{{       if and (eq $cfg.Path "") (eq $cfg.TLSTermination "passthrough") }}
{{generateRouteRegexp $cfg.Host "" $cfg.IsWildcard}} 1
{{       end }}
{{     end }}
{{ end }}{{/* end sni passthrough map template */}}


{{/*
    os_reencrypt.map: marker that the host is configured to use a secure backend, allows the selection of a backend
                    that does specific checks that avoid mitm attacks: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-ssl
*/}}
{{ define "/var/lib/haproxy/conf/os_reencrypt.map" }}
{{     range $idx, $cfg := .State }}
{{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "reencrypt") }}
{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
{{       end }}
{{     end }}
{{ end }}{{/* end reencrypt map template */}}

{{/*
    cert_config.map: contains a mapping of <cert-file> -> example.org
                     This map is used to present the appropriate cert
                     based on the sni header.
    Note: It is sort of a reverse map for our case but the order
          "<cert>: <domain-set>" is important as this allows us to use
         wildcards and/or use a deny set with !<domain> in the future.
*/}}
{{ define "/var/lib/haproxy/conf/cert_config.map" }}
{{     $workingDir := .WorkingDir }}
{{     range $idx, $cfg := .State }}
{{       if and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "edge") (eq $cfg.TLSTermination "reencrypt")) }}
{{         $cert := index $cfg.Certificates $cfg.Host }}
{{         if ne $cert.Contents "" }}
{{$workingDir}}/certs/{{$idx}}.pem {{genCertificateHostName $cfg.Host $cfg.IsWildcard}}
{{         end }}
{{      end }}
{{     end }}
{{ end }}{{/* end cert_config map template */}}