global
  log stdout local0
  log stdout local1 notice
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin
  stats timeout 30s
  user haproxy
  group haproxy
  daemon

  # Default SSL options for modern TLS
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
  ssl-default-bind-options ssl-min-ver TLSv1.2

defaults
  mode  http
  log   global
  option  httplog
  option  dontlognull
  timeout connect 5000
  timeout client  50000
  timeout server  50000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

# Statistics endpoint (accessible on port 8080)
listen stats
  bind *:8080
  stats enable
  stats uri /stats
  stats refresh 30s
  stats admin if TRUE

# Example HTTPS frontend with certificate from certctl
# This frontend will serve HTTPS on port 443 using a combined PEM file
# deployed by certctl to /etc/haproxy/ssl/cert.pem
frontend https_in
  # HTTP redirect to HTTPS
  bind *:80
  mode http
  acl is_http hdr(X-Forwarded-Proto) http
  redirect scheme https code 301 if !is_https

  # HTTPS with certificate
  # In production, certctl will manage cert.pem and reload HAProxy after deployment
  bind *:443 ssl crt /etc/haproxy/ssl/cert.pem strict-sni
  mode http
  option httplog

  # Default backend
  default_backend http_backend

# Example backend (simple web service placeholder)
backend http_backend
  mode http
  option httpchk GET /
  server local_app 127.0.0.1:8000 check disabled

# Health endpoint (useful for certctl agent deployment verification)
frontend health
  bind *:9999
  mode http
  monitor-uri /health