# /etc/haproxy/haproxy.cfg

frontend FE-application
  mode http
  bind :80
  # ssl offloading on port 443 using a certificate from /etc/haproxy/ssl/ directory
  bind :443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 ssl-min-ver TLSv1.2 no-tls-tickets

  # set X-Real-IP header required for Anubis
  http-request set-header X-Real-IP "%[src]"

  # redirect HTTP to HTTPS
  http-request redirect scheme https code 301 unless { ssl_fc }
  # add HSTS header
  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  # route to Anubis backend by default
  default_backend BE-anubis-application

BE-anubis-application
  mode http
  server anubis /run/anubis/default.sock