From 607f829431e7fcebea6347e7d9af5a4ed75b2453 Mon Sep 17 00:00:00 2001
From: Amir Zarrinkafsh <nightah@me.com>
Date: Wed, 23 Sep 2020 17:29:46 +1000
Subject: [PATCH] [DOCS] Clean HAProxy examples (#1338)

Remove headers that are not required and fix a typo.
---
 docs/deployment/supported-proxies/haproxy.md  |  4 +--
 .../example/compose/haproxy/haproxy.cfg       | 29 +++++++++----------
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/docs/deployment/supported-proxies/haproxy.md b/docs/deployment/supported-proxies/haproxy.md
index 71ea3745..e1fc03b0 100644
--- a/docs/deployment/supported-proxies/haproxy.md
+++ b/docs/deployment/supported-proxies/haproxy.md
@@ -62,7 +62,7 @@ backend upon successful authentication, for example:
 ### Secure Authelia with TLS
 There is a [known limitation](https://github.com/TimWolla/haproxy-auth-request/issues/12) with haproxy-auth-request with regard to TLS-enabled backends.
 If you want to run Authelia TLS enabled the recommended workaround utilises HAProxy itself to proxy the requests.
-This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexbility with regard
+This comes at a cost of two additional TCP connections, but allows the full HAProxy configuration flexibility with regard
 to TLS verification as well as header rewriting. An example of this configuration is also be provided below.
 
 #### Configuration
@@ -98,7 +98,6 @@ frontend fe_http
     http-request set-header X-Real-IP %[src]
     http-request set-header X-Forwarded-Proto %[var(req.scheme)]
     http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-    http-request add-header X-Forwarded-Port %[dst_port]
     http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
 
     # Protect endpoints with haproxy-auth-request and Authelia
@@ -155,7 +154,6 @@ frontend fe_http
     http-request set-header X-Real-IP %[src]
     http-request set-header X-Forwarded-Proto %[var(req.scheme)]
     http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-    http-request add-header X-Forwarded-Port %[dst_port]
     http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
 
     # Protect endpoints with haproxy-auth-request and Authelia
diff --git a/internal/suites/example/compose/haproxy/haproxy.cfg b/internal/suites/example/compose/haproxy/haproxy.cfg
index f05bce6c..d810e56d 100644
--- a/internal/suites/example/compose/haproxy/haproxy.cfg
+++ b/internal/suites/example/compose/haproxy/haproxy.cfg
@@ -20,10 +20,10 @@ frontend fe_api
 frontend fe_http
     bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem
 
-    acl host-authelia-portal hdr(host) -i login.example.com:8080
     acl api-path path_beg -i /api
+    acl headers-path path -i -m end /headers
+    acl host-authelia-portal hdr(host) -i login.example.com:8080
     acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com
-    acl is_headers path -i -m end /headers
 
     http-request set-var(req.scheme) str(https) if { ssl_fc }
     http-request set-var(req.scheme) str(http) if !{ ssl_fc }
@@ -32,7 +32,6 @@ frontend fe_http
     http-request set-header X-Real-IP %[src]
     http-request set-header X-Forwarded-Proto %[var(req.scheme)]
     http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-    http-request add-header X-Forwarded-Port %[dst_port]
     http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
 
     # be_auth_request is used to make HAProxy do the TLS termination since the Lua script
@@ -43,12 +42,9 @@ frontend fe_http
 
     use_backend be_authelia if host-authelia-portal api-path
     use_backend fe_authelia if host-authelia-portal !api-path
-    use_backend be_httpbin if protected-frontends is_headers
-    use_backend be_protected if protected-frontends
+    use_backend be_httpbin if protected-frontends headers-path
     use_backend be_mail if { hdr(host) -i mail.example.com:8080 }
-
-backend be_authelia
-    server authelia-backend authelia-backend:9091 ssl verify none
+    use_backend be_protected if protected-frontends
 
 backend be_auth_request
     mode http
@@ -59,19 +55,22 @@ listen be_auth_request_proxy
     bind 127.0.0.1:8085
     server authelia-backend authelia-backend:9091 ssl verify none
 
+backend be_authelia
+    server authelia-backend authelia-backend:9091 ssl verify none
+
 backend fe_authelia
     server authelia-frontend authelia-frontend:3000
 
-backend be_mail
-    server smtp-backend smtp:1080
-
-backend be_protected
-    server nginx-backend nginx-backend:80
-
 backend be_httpbin
     acl remote_user_exist var(req.auth_response_header.remote_user) -m found
     acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
     http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
     http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
 
-    server httpbin-backend httpbin:8000
\ No newline at end of file
+    server httpbin-backend httpbin:8000
+
+backend be_mail
+    server smtp-backend smtp:1080
+
+backend be_protected
+    server nginx-backend nginx-backend:80
\ No newline at end of file