global
    log stdout format raw local0
    maxconn 4096
    daemon

defaults
    log global
    mode http
    option httplog
    option dontlognull
    option forwardfor
    option http-server-close
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    timeout http-request 10000ms

# ============================================================================
# STATS & MONITORING (P1.3: restricted to internal network)
# ============================================================================
frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 30s
    acl from_internal src 127.0.0.1 172.20.0.0/16
    stats admin if from_internal

# ============================================================================
# HTTP FRONTEND (Port 80)
# ============================================================================
frontend http_frontend
    bind *:80
    mode http
    
    # P1.1: Redirect HTTP to HTTPS in production
    redirect scheme https code 301 if !{ ssl_fc }
    
    # ACLs for routing
    acl is_api path_beg /api/v1
    acl is_stream path_beg /stream
    acl is_hls path_beg /hls
    acl is_web path_beg /
    
    # Route to appropriate backend
    use_backend backend_api if is_api
    use_backend stream_ws if is_stream
    use_backend stream_ws if is_hls
    use_backend web_frontend if is_web

# ============================================================================
# HTTPS FRONTEND (Port 443) - P1.1: Production HTTPS
# Certificates from config/ssl/ mounted at /etc/ssl/veza/
# ============================================================================
frontend https_frontend
    bind *:443 ssl crt /etc/ssl/veza/veza.pem
    mode http
    # ACLs for routing
    acl is_api path_beg /api/v1
    acl is_stream path_beg /stream
    acl is_hls path_beg /hls
    acl is_web path_beg /
    # Route to appropriate backend
    use_backend backend_api if is_api
    use_backend stream_ws if is_stream
    use_backend stream_ws if is_hls
    use_backend web_frontend if is_web

# ============================================================================
# BACKENDS
# ============================================================================

# Backend API (Go)
backend backend_api
    mode http
    balance roundrobin
    option httpchk GET /api/v1/health
    http-check expect status 200
    server backend1 backend-api:8080 check inter 5s fall 3 rise 2
    # Add more servers for load balancing:
    # server backend2 backend-api-2:8080 check inter 5s fall 3 rise 2

# Stream WebSocket (Rust)
backend stream_ws
    mode http
    balance roundrobin
    option httpchk GET /health
    http-check expect status 200
    server stream1 stream-server:3001 check inter 5s fall 3 rise 2
    # WebSocket specific options
    timeout tunnel 3600s

# Web Frontend (React/Vite)
backend web_frontend
    mode http
    balance roundrobin
    option httpchk GET /
    http-check expect status 200
    server web1 web:5173 check inter 5s fall 3 rise 2
    # Add more servers for load balancing:
    # server web2 web-2:5173 check inter 5s fall 3 rise 2