# HAProxy Configuration

## Production (haproxy.cfg)

- **HTTP (port 80)**: Redirects all traffic to HTTPS (301)
- **HTTPS (port 443)**: Serves traffic with TLS. Certificates from `config/ssl/` mounted at `/etc/ssl/veza/`
- **Stats (port 8404)**: Restricted to localhost and Docker network (172.20.0.0/16)

## SSL Certificates

Before starting production, add at least one certificate to `config/ssl/`. See `config/ssl/README.md` for instructions.

For quick local testing with self-signed cert:

```bash
cd config/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout key.pem -out cert.pem -subj "/CN=veza.local"
cat cert.pem key.pem > veza.pem
```

## Development Without HTTPS

For local development without SSL, use `docker-compose.yml` (not prod) or create a `haproxy.dev.cfg` that omits the HTTPS frontend and HTTP redirect.