veza/config/haproxy/haproxy.cfg

global
    log stdout format raw local0
    maxconn 4096
    daemon

defaults
    log global
    mode http
    option httplog
    option dontlognull
    option forwardfor
    option http-server-close
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    timeout http-request 10000ms

# ============================================================================
# STATS & MONITORING (P1.3: restricted to internal network)
# ============================================================================
frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 30s
    acl from_internal src 127.0.0.1 172.20.0.0/16
    stats admin if from_internal

# ============================================================================
# HTTP FRONTEND (Port 80)
# ============================================================================
frontend http_frontend
    bind *:80
    mode http
    
    # P1.1: Redirect HTTP to HTTPS in production
    redirect scheme https code 301 if !{ ssl_fc }
    
    # ACLs for routing
    acl is_api path_beg /api/v1
    acl is_ws path_beg /ws
    acl is_stream path_beg /stream
    acl is_web path_beg /
    
    # Route to appropriate backend
    use_backend backend_api if is_api
    use_backend chat_ws if is_ws
    use_backend stream_ws if is_stream
    use_backend web_frontend if is_web

# ============================================================================
# HTTPS FRONTEND (Port 443) - P1.1: Production HTTPS
# Certificates from config/ssl/ mounted at /etc/ssl/veza/
# ============================================================================
frontend https_frontend
    bind *:443 ssl crt /etc/ssl/veza/veza.pem
    mode http
    # ACLs for routing
    acl is_api path_beg /api/v1
    acl is_ws path_beg /ws
    acl is_stream path_beg /stream
    acl is_web path_beg /
    # Route to appropriate backend
    use_backend backend_api if is_api
    use_backend chat_ws if is_ws
    use_backend stream_ws if is_stream
    use_backend web_frontend if is_web

# ============================================================================
# BACKENDS
# ============================================================================

# Backend API (Go)
backend backend_api
    mode http
    balance roundrobin
    option httpchk GET /api/v1/health
    http-check expect status 200
    server backend1 backend-api:8080 check inter 5s fall 3 rise 2
    # Add more servers for load balancing:
    # server backend2 backend-api-2:8080 check inter 5s fall 3 rise 2

# Chat WebSocket (Rust)
backend chat_ws
    mode http
    balance roundrobin
    option httpchk GET /health
    http-check expect status 200
    server chat1 chat-server:3000 check inter 5s fall 3 rise 2
    # WebSocket specific options
    timeout tunnel 3600s

# Stream WebSocket (Rust)
backend stream_ws
    mode http
    balance roundrobin
    option httpchk GET /health
    http-check expect status 200
    server stream1 stream-server:3001 check inter 5s fall 3 rise 2
    # WebSocket specific options
    timeout tunnel 3600s

# Web Frontend (React/Vite)
backend web_frontend
    mode http
    balance roundrobin
    option httpchk GET /
    http-check expect status 200
    server web1 web:5173 check inter 5s fall 3 rise 2
    # Add more servers for load balancing:
    # server web2 web-2:5173 check inter 5s fall 3 rise 2
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`global`
			`log stdout format raw local0`
			`maxconn 4096`
			`daemon`

			`defaults`
			`log global`
			`mode http`
			`option httplog`
			`option dontlognull`
			`option forwardfor`
			`option http-server-close`
			`timeout connect 5000ms`
			`timeout client 50000ms`
			`timeout server 50000ms`
			`timeout http-request 10000ms`

			`# ============================================================================`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`# STATS & MONITORING (P1.3: restricted to internal network)`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`# ============================================================================`
			`frontend stats`
			`bind *:8404`
			`stats enable`
			`stats uri /stats`
			`stats refresh 30s`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`acl from_internal src 127.0.0.1 172.20.0.0/16`
			`stats admin if from_internal`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
			`# ============================================================================`
			`# HTTP FRONTEND (Port 80)`
			`# ============================================================================`
			`frontend http_frontend`
			`bind *:80`
			`mode http`

fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`# P1.1: Redirect HTTP to HTTPS in production`
			`redirect scheme https code 301 if !{ ssl_fc }`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
			`# ACLs for routing`
			`acl is_api path_beg /api/v1`
			`acl is_ws path_beg /ws`
			`acl is_stream path_beg /stream`
			`acl is_web path_beg /`

			`# Route to appropriate backend`
			`use_backend backend_api if is_api`
			`use_backend chat_ws if is_ws`
			`use_backend stream_ws if is_stream`
			`use_backend web_frontend if is_web`

			`# ============================================================================`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`# HTTPS FRONTEND (Port 443) - P1.1: Production HTTPS`
			`# Certificates from config/ssl/ mounted at /etc/ssl/veza/`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`# ============================================================================`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`frontend https_frontend`
			`bind *:443 ssl crt /etc/ssl/veza/veza.pem`
			`mode http`
			`# ACLs for routing`
			`acl is_api path_beg /api/v1`
			`acl is_ws path_beg /ws`
			`acl is_stream path_beg /stream`
			`acl is_web path_beg /`
			`# Route to appropriate backend`
			`use_backend backend_api if is_api`
			`use_backend chat_ws if is_ws`
			`use_backend stream_ws if is_stream`
			`use_backend web_frontend if is_web`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
			`# ============================================================================`
			`# BACKENDS`
			`# ============================================================================`

			`# Backend API (Go)`
			`backend backend_api`
			`mode http`
			`balance roundrobin`
			`option httpchk GET /api/v1/health`
			`http-check expect status 200`
			`server backend1 backend-api:8080 check inter 5s fall 3 rise 2`
			`# Add more servers for load balancing:`
			`# server backend2 backend-api-2:8080 check inter 5s fall 3 rise 2`

			`# Chat WebSocket (Rust)`
			`backend chat_ws`
			`mode http`
			`balance roundrobin`
			`option httpchk GET /health`
			`http-check expect status 200`
			`server chat1 chat-server:3000 check inter 5s fall 3 rise 2`
			`# WebSocket specific options`
			`timeout tunnel 3600s`

			`# Stream WebSocket (Rust)`
			`backend stream_ws`
			`mode http`
			`balance roundrobin`
			`option httpchk GET /health`
			`http-check expect status 200`
			`server stream1 stream-server:3001 check inter 5s fall 3 rise 2`
			`# WebSocket specific options`
			`timeout tunnel 3600s`

			`# Web Frontend (React/Vite)`
			`backend web_frontend`
			`mode http`
			`balance roundrobin`
			`option httpchk GET /`
			`http-check expect status 200`
			`server web1 web:5173 check inter 5s fall 3 rise 2`
			`# Add more servers for load balancing:`
			`# server web2 web-2:5173 check inter 5s fall 3 rise 2`