global
    log stdout format raw local0
    maxconn 4096
    daemon
    # Blue-green: runtime API for server enable/disable
    stats socket /var/run/haproxy.sock level admin

defaults
    log global
    mode http
    option httplog
    option dontlognull
    option forwardfor
    option http-server-close
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    timeout http-request 10000ms

# ============================================================================
# STATS & MONITORING (P1.3: restricted to internal network)
# ============================================================================
frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 30s
    acl from_internal src 127.0.0.1 172.20.0.0/16
    stats admin if from_internal

# ============================================================================
# HTTP FRONTEND (Port 80)
# ============================================================================
frontend http_frontend
    bind *:80
    mode http
    
    # P1.1: Redirect HTTP to HTTPS in production
    redirect scheme https code 301 if !{ ssl_fc }
    
    # ACLs for routing
    acl is_api path_beg /api/v1
    acl is_stream path_beg /stream
    acl is_hls path_beg /hls
    acl is_web path_beg /
    
    # Route to appropriate backend
    use_backend backend_api if is_api
    use_backend stream_ws if is_stream
    use_backend stream_ws if is_hls
    use_backend web_frontend if is_web

# ============================================================================
# HTTPS FRONTEND (Port 443) - P1.1: Production HTTPS
# Certificates from config/ssl/ mounted at /etc/ssl/veza/
# ============================================================================
frontend https_frontend
    bind *:443 ssl crt /etc/ssl/veza/veza.pem
    mode http
    # ACLs for routing
    acl is_api path_beg /api/v1
    acl is_stream path_beg /stream
    acl is_hls path_beg /hls
    acl is_web path_beg /
    # Route to appropriate backend
    use_backend backend_api if is_api
    use_backend stream_ws if is_stream
    use_backend stream_ws if is_hls
    use_backend web_frontend if is_web

# ============================================================================
# BACKENDS - Blue-Green Deployment
# Use scripts/deploy-blue-green.sh to switch active stack
# ============================================================================

# Backend API (Go) - blue/green
backend backend_api
    mode http
    balance roundrobin
    option httpchk GET /api/v1/health
    http-check expect status 200
    server api_blue backend-api-blue:8080 check inter 5s fall 3 rise 2
    server api_green backend-api-green:8080 check inter 5s fall 3 rise 2 backup

# Stream WebSocket (Rust) - blue/green
backend stream_ws
    mode http
    balance roundrobin
    option httpchk GET /health
    http-check expect status 200
    timeout tunnel 3600s
    server stream_blue stream-server-blue:3001 check inter 5s fall 3 rise 2
    server stream_green stream-server-green:3001 check inter 5s fall 3 rise 2 backup

# Web Frontend (React/Vite) - blue/green
backend web_frontend
    mode http
    balance roundrobin
    option httpchk GET /
    http-check expect status 200
    server web_blue web-blue:5173 check inter 5s fall 3 rise 2
    server web_green web-green:5173 check inter 5s fall 3 rise 2 backup