# Good info about TLS speeds: https://istlsfastyet.com/

global
	# This because haproxy is dumb and likes to use the maxconnection from the kernel and that is super mega huge making haproxy oom
	# maxconn 32768
	# Tied to net.core.somaxconn kernel parameter

resolvers docker
	# Without this, if a container crashes, haproxy will not be
	# able to find where the recreated container is.
	# Ref: https://stackoverflow.com/a/42135283
	nameserver dns1 127.0.0.11:53

defaults
	mode http
	timeout client 30s
	timeout connect 5s
	timeout server 30s
	http-reuse safe
	option splice-auto
	option tcp-smart-connect

# Prometheus for graphs
frontend prometheus
	bind *:10000
	mode http
	http-request use-service prometheus-exporter if { path /metrics }
	no log

frontend www
	bind *:80
	# bind *:443 ssl crt /certs/cert.pem alpn h2,http/1.1 allow-0rtt
	# Restrict to HTTP/1.1 since HTTP/2 is not useful for DASH video streaming.
	# HTTP/1.1 also uses a fairly low ammount of CPU compared to HTTP/2.
	# HTTP/2 is useful for requesting a lot of files at the same time, but
	# for DASH video streaming you download the video in a synchronously way,
	# making HTTP/2 useless for it.
	bind *:443 ssl crt /certs/cert.pem alpn http/1.1

	# https://docs.haproxy.org/3.0/configuration.html#4.2-tcp-request%20connection
	# https://docs.haproxy.org/3.0/configuration.html#4.2-http-request
	http-request deny if { src -f /etc/haproxy/denylist.txt }

	filter bwlim-out video-streaming default-limit 5000k default-period 1s
	# QUIC is not really needed for video streaming and it uses a lot of CPU.
	# Ref: https://news.ycombinator.com/item?id=23585120
	#bind quic4@:443 ssl crt /certs/cert.pem alpn h3 allow-0rtt
	#http-after-response add-header alt-svc 'h3=":443"; ma=900'

	# HAPROXY_EXVPP_HOST: The external video playback host
	# acl c hdr(host) -i "$COMPANION_HOST"
	# acl cc hdr(host) -i "$COMPANION_HOST":8443
	# acl h hdr(host) -i "$EXVPP_HOST"
	# acl hh hdr(host) -i "$EXVPP_HOST":8443

	http-request set-bandwidth-limit video-streaming

	acl health_check path /health
	http-request return status 200 if health_check

	use_backend http3-ytproxy if { path_beg /videoplayback } || { path /metrics_ytproxy }
	default_backend companion

backend http3-ytproxy
	server s1 unix@/tmp/http-ytproxy.sock

backend companion
	server s1 gluetun:8081 check resolvers docker init-addr libc,none