veza/config/haproxy/README.md

# HAProxy Configuration

## Production (haproxy.cfg)

- **HTTP (port 80)**: Redirects all traffic to HTTPS (301)
- **HTTPS (port 443)**: Serves traffic with TLS. Certificates from `config/ssl/` mounted at `/etc/ssl/veza/`
- **Stats (port 8404)**: Restricted to localhost and Docker network (172.20.0.0/16)

## SSL Certificates

Before starting production, add at least one certificate to `config/ssl/`. See `config/ssl/README.md` for instructions.

For quick local testing with self-signed cert:

```bash
cd config/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout key.pem -out cert.pem -subj "/CN=veza.local"
cat cert.pem key.pem > veza.pem
```

## Development Without HTTPS

For local development without SSL, use `docker-compose.yml` (not prod) or create a `haproxy.dev.cfg` that omits the HTTPS frontend and HTTP redirect.
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`# HAProxy Configuration`

			`## Production (haproxy.cfg)`

			`- HTTP (port 80): Redirects all traffic to HTTPS (301)`
			- HTTPS (port 443): Serves traffic with TLS. Certificates from `config/ssl/` mounted at `/etc/ssl/veza/`
			`- Stats (port 8404): Restricted to localhost and Docker network (172.20.0.0/16)`

			`## SSL Certificates`

			Before starting production, add at least one certificate to `config/ssl/`. See `config/ssl/README.md` for instructions.

			`For quick local testing with self-signed cert:`

			```bash
			`cd config/ssl`
			`openssl req -x509 -nodes -days 365 -newkey rsa:2048 \`
			`-keyout key.pem -out cert.pem -subj "/CN=veza.local"`
			`cat cert.pem key.pem > veza.pem`
			```

			`## Development Without HTTPS`

			For local development without SSL, use `docker-compose.yml` (not prod) or create a `haproxy.dev.cfg` that omits the HTTPS frontend and HTTP redirect.