global
    lua-load /usr/local/etc/haproxy/auth-request.lua
    log stdout format raw local0 debug

defaults
    mode http
    log global
    option httplog
    option forwardfor

frontend fe_api
    bind *:8081 ssl crt /usr/local/etc/haproxy/haproxy.pem

    stats enable
    stats uri /api
    stats refresh 10s
    stats admin if LOCALHOST

frontend fe_http
    bind *:8080 ssl crt /usr/local/etc/haproxy/haproxy.pem

    acl host-authelia-portal hdr(host) -i login.example.com:8080
    acl api-path path_beg -i /api
    acl protected-frontends hdr(host) -m reg -i ^(admin|home|public|secure|singlefactor)\.example\.com

    http-request set-var(req.scheme) str(https) if { ssl_fc }
    http-request set-var(req.scheme) str(http) if !{ ssl_fc }
    http-request set-var(req.questionmark) str(?) if { query -m found }

    http-request set-header X-Real-IP %[src]
    http-request set-header X-Forwarded-Proto %[var(req.scheme)]
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    http-request add-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]

    http-request lua.auth-request be_authelia /api/verify if protected-frontends

    use_backend be_authelia if host-authelia-portal api-path
    use_backend fe_authelia if host-authelia-portal !api-path
    use_backend be_authelia if protected-frontends !{ var(txn.auth_response_successful) -m bool }
    use_backend be_protected if protected-frontends
    use_backend be_mail if { hdr(host) -i mail.example.com:8080 }

backend be_authelia
    server authelia-backend authelia-backend:9091

backend fe_authelia
    server authelia-frontend authelia-frontend:3000

backend be_mail
    server smtp-backend smtp:1080

backend be_protected
    server nginx-backend nginx-backend:80