veza/config/haproxy/haproxy.cfg

global
    log stdout format raw local0
    maxconn 4096
    daemon
    # Blue-green: runtime API for server enable/disable
    stats socket /var/run/haproxy.sock level admin

defaults
    log global
    mode http
    option httplog
    option dontlognull
    option forwardfor
    option http-server-close
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    timeout http-request 10000ms

# ============================================================================
# STATS & MONITORING (P1.3: restricted to internal network)
# ============================================================================
frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 30s
    acl from_internal src 127.0.0.1 172.20.0.0/16
    stats admin if from_internal

# ============================================================================
# HTTP FRONTEND (Port 80)
# ============================================================================
frontend http_frontend
    bind *:80
    mode http
    
    # P1.1: Redirect HTTP to HTTPS in production
    redirect scheme https code 301 if !{ ssl_fc }
    
    # ACLs for routing
    acl is_api path_beg /api/v1
    acl is_stream path_beg /stream
    acl is_hls path_beg /hls
    acl is_web path_beg /
    
    # Route to appropriate backend
    use_backend backend_api if is_api
    use_backend stream_ws if is_stream
    use_backend stream_ws if is_hls
    use_backend web_frontend if is_web

# ============================================================================
# HTTPS FRONTEND (Port 443) - P1.1: Production HTTPS
# Certificates from config/ssl/ mounted at /etc/ssl/veza/
# ============================================================================
frontend https_frontend
    bind *:443 ssl crt /etc/ssl/veza/veza.pem
    mode http
    # ACLs for routing
    acl is_api path_beg /api/v1
    acl is_stream path_beg /stream
    acl is_hls path_beg /hls
    acl is_web path_beg /
    # Route to appropriate backend
    use_backend backend_api if is_api
    use_backend stream_ws if is_stream
    use_backend stream_ws if is_hls
    use_backend web_frontend if is_web

# ============================================================================
# BACKENDS - Blue-Green Deployment
# Use scripts/deploy-blue-green.sh to switch active stack
# ============================================================================

# Backend API (Go) - blue/green
backend backend_api
    mode http
    balance roundrobin
    option httpchk GET /api/v1/health
    http-check expect status 200
    server api_blue backend-api-blue:8080 check inter 5s fall 3 rise 2
    server api_green backend-api-green:8080 check inter 5s fall 3 rise 2 backup

# Stream WebSocket (Rust) - blue/green
backend stream_ws
    mode http
    balance roundrobin
    option httpchk GET /health
    http-check expect status 200
    timeout tunnel 3600s
    server stream_blue stream-server-blue:3001 check inter 5s fall 3 rise 2
    server stream_green stream-server-green:3001 check inter 5s fall 3 rise 2 backup

# Web Frontend (React/Vite) - blue/green
backend web_frontend
    mode http
    balance roundrobin
    option httpchk GET /
    http-check expect status 200
    server web_blue web-blue:5173 check inter 5s fall 3 rise 2
    server web_green web-green:5173 check inter 5s fall 3 rise 2 backup
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`global`
			`log stdout format raw local0`
			`maxconn 4096`
			`daemon`
feat(infra): blue-green deployment via HAProxy - HAProxy: api/stream/web backends with blue+green servers (backup) - docker-compose.prod: backend-api-blue/green, stream-server-blue/green, web-blue/green - haproxy-blue.cfg, haproxy-green.cfg: config variants for active stack - scripts/deploy-blue-green.sh: switch traffic via config copy + HUP reload 2026-02-23 18:52:19 +00:00			`# Blue-green: runtime API for server enable/disable`
			`stats socket /var/run/haproxy.sock level admin`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
			`defaults`
			`log global`
			`mode http`
			`option httplog`
			`option dontlognull`
			`option forwardfor`
			`option http-server-close`
			`timeout connect 5000ms`
			`timeout client 50000ms`
			`timeout server 50000ms`
			`timeout http-request 10000ms`

			`# ============================================================================`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`# STATS & MONITORING (P1.3: restricted to internal network)`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`# ============================================================================`
			`frontend stats`
			`bind *:8404`
			`stats enable`
			`stats uri /stats`
			`stats refresh 30s`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`acl from_internal src 127.0.0.1 172.20.0.0/16`
			`stats admin if from_internal`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
			`# ============================================================================`
			`# HTTP FRONTEND (Port 80)`
			`# ============================================================================`
			`frontend http_frontend`
			`bind *:80`
			`mode http`

fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`# P1.1: Redirect HTTP to HTTPS in production`
			`redirect scheme https code 301 if !{ ssl_fc }`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
			`# ACLs for routing`
			`acl is_api path_beg /api/v1`
			`acl is_stream path_beg /stream`
fix(streaming): ensure HLS audio chain works end-to-end - HAProxy: route /hls to stream server - Vite proxy: /ws, /stream, /hls for dev - HLS_BASE_URL: empty when STREAM_URL relative (proxy) - FEATURE_STATUS: HLS_STREAMING operational 2026-02-18 11:42:42 +00:00			`acl is_hls path_beg /hls`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`acl is_web path_beg /`

			`# Route to appropriate backend`
			`use_backend backend_api if is_api`
			`use_backend stream_ws if is_stream`
fix(streaming): ensure HLS audio chain works end-to-end - HAProxy: route /hls to stream server - Vite proxy: /ws, /stream, /hls for dev - HLS_BASE_URL: empty when STREAM_URL relative (proxy) - FEATURE_STATUS: HLS_STREAMING operational 2026-02-18 11:42:42 +00:00			`use_backend stream_ws if is_hls`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`use_backend web_frontend if is_web`

			`# ============================================================================`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`# HTTPS FRONTEND (Port 443) - P1.1: Production HTTPS`
			`# Certificates from config/ssl/ mounted at /etc/ssl/veza/`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`# ============================================================================`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`frontend https_frontend`
			`bind *:443 ssl crt /etc/ssl/veza/veza.pem`
			`mode http`
			`# ACLs for routing`
			`acl is_api path_beg /api/v1`
			`acl is_stream path_beg /stream`
fix(streaming): ensure HLS audio chain works end-to-end - HAProxy: route /hls to stream server - Vite proxy: /ws, /stream, /hls for dev - HLS_BASE_URL: empty when STREAM_URL relative (proxy) - FEATURE_STATUS: HLS_STREAMING operational 2026-02-18 11:42:42 +00:00			`acl is_hls path_beg /hls`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`acl is_web path_beg /`
			`# Route to appropriate backend`
			`use_backend backend_api if is_api`
			`use_backend stream_ws if is_stream`
fix(streaming): ensure HLS audio chain works end-to-end - HAProxy: route /hls to stream server - Vite proxy: /ws, /stream, /hls for dev - HLS_BASE_URL: empty when STREAM_URL relative (proxy) - FEATURE_STATUS: HLS_STREAMING operational 2026-02-18 11:42:42 +00:00			`use_backend stream_ws if is_hls`
fix(infra): HAProxy HTTPS and stats security P1.1 - Enable HTTPS in HAProxy for production: - HTTP to HTTPS redirect (301) - HTTPS frontend on port 443 with veza.pem - config/ssl/ structure with README and generate-ssl-cert.sh - docker-compose.prod.yml volume for certs P1.3 - Restrict HAProxy stats to internal network: - ACL from_internal (127.0.0.1, 172.20.0.0/16) - stats admin if from_internal Also: remove errorfile directives (use HAProxy built-in defaults) 2026-02-15 14:58:51 +00:00			`use_backend web_frontend if is_web`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
			`# ============================================================================`
feat(infra): blue-green deployment via HAProxy - HAProxy: api/stream/web backends with blue+green servers (backup) - docker-compose.prod: backend-api-blue/green, stream-server-blue/green, web-blue/green - haproxy-blue.cfg, haproxy-green.cfg: config variants for active stack - scripts/deploy-blue-green.sh: switch traffic via config copy + HUP reload 2026-02-23 18:52:19 +00:00			`# BACKENDS - Blue-Green Deployment`
			`# Use scripts/deploy-blue-green.sh to switch active stack`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`# ============================================================================`

feat(infra): blue-green deployment via HAProxy - HAProxy: api/stream/web backends with blue+green servers (backup) - docker-compose.prod: backend-api-blue/green, stream-server-blue/green, web-blue/green - haproxy-blue.cfg, haproxy-green.cfg: config variants for active stack - scripts/deploy-blue-green.sh: switch traffic via config copy + HUP reload 2026-02-23 18:52:19 +00:00			`# Backend API (Go) - blue/green`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`backend backend_api`
			`mode http`
			`balance roundrobin`
			`option httpchk GET /api/v1/health`
			`http-check expect status 200`
feat(infra): blue-green deployment via HAProxy - HAProxy: api/stream/web backends with blue+green servers (backup) - docker-compose.prod: backend-api-blue/green, stream-server-blue/green, web-blue/green - haproxy-blue.cfg, haproxy-green.cfg: config variants for active stack - scripts/deploy-blue-green.sh: switch traffic via config copy + HUP reload 2026-02-23 18:52:19 +00:00			`server api_blue backend-api-blue:8080 check inter 5s fall 3 rise 2`
			`server api_green backend-api-green:8080 check inter 5s fall 3 rise 2 backup`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
feat(infra): blue-green deployment via HAProxy - HAProxy: api/stream/web backends with blue+green servers (backup) - docker-compose.prod: backend-api-blue/green, stream-server-blue/green, web-blue/green - haproxy-blue.cfg, haproxy-green.cfg: config variants for active stack - scripts/deploy-blue-green.sh: switch traffic via config copy + HUP reload 2026-02-23 18:52:19 +00:00			`# Stream WebSocket (Rust) - blue/green`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`backend stream_ws`
			`mode http`
			`balance roundrobin`
			`option httpchk GET /health`
			`http-check expect status 200`
			`timeout tunnel 3600s`
feat(infra): blue-green deployment via HAProxy - HAProxy: api/stream/web backends with blue+green servers (backup) - docker-compose.prod: backend-api-blue/green, stream-server-blue/green, web-blue/green - haproxy-blue.cfg, haproxy-green.cfg: config variants for active stack - scripts/deploy-blue-green.sh: switch traffic via config copy + HUP reload 2026-02-23 18:52:19 +00:00			`server stream_blue stream-server-blue:3001 check inter 5s fall 3 rise 2`
			`server stream_green stream-server-green:3001 check inter 5s fall 3 rise 2 backup`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00
feat(infra): blue-green deployment via HAProxy - HAProxy: api/stream/web backends with blue+green servers (backup) - docker-compose.prod: backend-api-blue/green, stream-server-blue/green, web-blue/green - haproxy-blue.cfg, haproxy-green.cfg: config variants for active stack - scripts/deploy-blue-green.sh: switch traffic via config copy + HUP reload 2026-02-23 18:52:19 +00:00			`# Web Frontend (React/Vite) - blue/green`
api-contracts: install openapi-generator-cli and create type generation script - Completed Action 1.1.2.1: Installed @openapitools/openapi-generator-cli - Completed Action 1.1.2.2: Created generate-types.sh script - Added swagger annotations to cmd/modern-server/main.go - Regenerated swagger.yaml with proper info section - Successfully generated TypeScript types to src/types/generated/ The script generates types from veza-backend-api/openapi.yaml using typescript-axios generator and creates barrel exports. 2026-01-11 15:30:43 +00:00			`backend web_frontend`
			`mode http`
			`balance roundrobin`
			`option httpchk GET /`
			`http-check expect status 200`
feat(infra): blue-green deployment via HAProxy - HAProxy: api/stream/web backends with blue+green servers (backup) - docker-compose.prod: backend-api-blue/green, stream-server-blue/green, web-blue/green - haproxy-blue.cfg, haproxy-green.cfg: config variants for active stack - scripts/deploy-blue-green.sh: switch traffic via config copy + HUP reload 2026-02-23 18:52:19 +00:00			`server web_blue web-blue:5173 check inter 5s fall 3 rise 2`
			`server web_green web-green:5173 check inter 5s fall 3 rise 2 backup`