{% set haproxy_http_front_port = (haproxy_backend_port | int) + 10000 %}
{% set haproxy_https_front_port = (haproxy_backend_port | int) + 20000 %}

# Redirect request to HTTP or HTTPS frontend based on used protocol
frontend {{ service.haproxy_service_name }}-tcp-redirect-front-{{ loop.index }}
    mode tcp
    bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }}
    tcp-request inspect-delay 2s
    tcp-request content accept if HTTP
    tcp-request content accept if { req.ssl_hello_type 1 }
    use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }} if HTTP
    default_backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}

backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }}
    mode tcp
    server  {{ value.backend_name | default(service.haproxy_service_name) }}-http {{ vip_address }}:{{ haproxy_http_front_port }}

backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
    mode tcp
    server  {{ value.backend_name | default(service.haproxy_service_name) }}-https {{ vip_address }}:{{ haproxy_https_front_port }}

frontend {{ service.haproxy_service_name }}-http-front-{{ loop.index }}
    bind {{ vip_address }}:{{ haproxy_http_front_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }}
{% if request_option == "http" %}
    option httplog
    option forwardfor except 127.0.0.0/8
{% if service.haproxy_http_keepalive_mode is defined %}
    option {{ service.haproxy_http_keepalive_mode }}
{% endif %}
{% elif request_option == "tcp" %}
    option tcplog
{% endif %}
{% if service.haproxy_timeout_client is defined %}
    timeout client {{ service.haproxy_timeout_client }}
{% endif %}
{% if service.haproxy_allowlist_networks is defined %}
    acl allow_list src 127.0.0.1/8 {{ service.haproxy_allowlist_networks | join(' ') }}
    tcp-request content accept if allow_list
    tcp-request content reject
{% endif %}
{% if service.haproxy_acls is defined %}
{%   for key, value in service.haproxy_acls.items() %}
    acl {{ key }} {{ value.rule }}
{%     if not service.haproxy_frontend_only | default(false) %}
    use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-back if {{ key }}
{%     endif %}
{%   endfor %}
{% endif %}
{% for entry in service.haproxy_maps | default([])  %}
    {{ entry }}
{% endfor %}
    mode {{ service.haproxy_balance_type }}
{% if (not service.haproxy_frontend_only | default(false)) or ((service.haproxy_default_backend is defined) and (service.haproxy_default_backend | length > 0)) %}
    default_backend {{ service.haproxy_default_backend | default(service.haproxy_service_name) }}-back
{% endif %}
{% for entry in (service.haproxy_frontend_raw|default([])) + haproxy_frontend_extra_raw %}
    {{ entry }}
{% endfor %}

frontend {{ service.haproxy_service_name }}-https-front-{{ loop.index }}
    bind {{ vip_address }}:{{ haproxy_https_front_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }} ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_address }}.pem
{% if request_option == "http" %}
    option httplog
    option forwardfor except 127.0.0.0/8
{% if service.haproxy_http_keepalive_mode is defined %}
    option {{ service.haproxy_http_keepalive_mode }}
{% endif %}
{% elif request_option == "tcp" %}
    option tcplog
{% endif %}
{% if service.haproxy_timeout_client is defined %}
    timeout client {{ service.haproxy_timeout_client }}
{% endif %}
{% if service.haproxy_allowlist_networks is defined %}
    acl allow_list src 127.0.0.1/8 {{ service.haproxy_allowlist_networks | join(' ') }}
    tcp-request content accept if allow_list
    tcp-request content reject
{% endif %}
{% if service.haproxy_acls is defined %}
{%   for key, value in service.haproxy_acls.items() %}
    acl {{ key }} {{ value.rule }}
{%     if not service.haproxy_frontend_only | default(false) %}
    use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-back if {{ key }}
{%     endif %}
{%   endfor %}
{% endif %}
{% for entry in service.haproxy_maps | default([])  %}
    {{ entry }}
{% endfor %}
{% if (service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}
    http-request add-header X-Forwarded-Proto https
{% endif %}
    mode {{ service.haproxy_balance_type }}
{% if (not service.haproxy_frontend_only | default(false)) or ((service.haproxy_default_backend is defined) and (service.haproxy_default_backend | length > 0)) %}
    default_backend {{ service.haproxy_default_backend | default(service.haproxy_service_name) }}-back
{% endif %}
{% for entry in (service.haproxy_frontend_raw|default([])) + haproxy_frontend_extra_raw %}
    {{ entry }}
{% endfor %}