global
    default-path config
    #zero-warning
    maxconn     20000
    log         127.0.0.1 local0
    user        haproxy
    #pidfile     /run/haproxy.pid
    hard-stop-after 5m
    daemon
    user haproxy
    group haproxy

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

# default settings common to all HTTP proxies below
defaults
    mode http
    log global
    timeout client 1m
    timeout server 1m
    timeout connect 10s
    timeout http-keep-alive 2m
    timeout queue 15s
    timeout tunnel 4h  # for websocket

frontend external
    bind :443 name secure ssl crt /etc/haproxy/cert.pem

.if feature(QUIC)
    bind quic4@:443 name quic ssl crt /etc/haproxy/cert.pem
    http-response add-header alt-svc 'h3=":443"; ma=90000'
.endif
    
    http-request redirect scheme https code 308 unless { ssl_fc }
    http-request del-header x-forwarded-for
    option forwardfor
    option httplog

    http-request set-header X-Forwarded-Proto https if { ssl_fc }

    # enable HTTP compression of text contents
    compression algo deflate gzip
    compression type text/ application/javascript application/xhtml+xml image/x-icon

    default_backend domserver

backend domserver
    balance leastconn
    option abortonclose
    server gitea1 127.0.0.1:8080 maxconn 100 check inter 1s