# {{ ansible_managed }}

frontend front_rspamd
	log             global
	bind 		/var/run/haproxy/rspamd.https mode 600 user haproxy group haproxy ssl crt /usr/local/etc/haproxy/{{ ansible_fqdn }}.pem alpn h2,http/1.1 accept-proxy
	http-request    set-src src,ipmask(16,56)
	use_backend	back_rspamd

backend back_rspamd
	server		rspamd_controller /rspamd/controller
	option          forwardfor
	http-request    add-header X-Forwarded-Proto https
	http-request    add-header X-Forwarded-Port 443

backend sni_rspamd
        mode            tcp
	acl             clienthello req_ssl_hello_type 1
	acl             serverhello rep_ssl_hello_type 2
	tcp-request     inspect-delay 5s
	tcp-request     content accept if clienthello
	tcp-response    content accept if serverhello
	option          ssl-hello-chk
	server          rspamd_https /rspamd.https send-proxy