--- /dev/null
+global
+ log /dev/log local0
+ log /dev/log local1 notice
+ chroot /var/lib/haproxy
+ stats socket /run/haproxy/admin.sock mode 660 level admin
+ stats socket /run/haproxy/user.sock mode 660 level user group munin
+ stats timeout 30s
+ user haproxy
+ group haproxy
+ daemon
+ nbproc 2
+
+ # Default SSL material locations
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+ # Default ciphers to use on SSL-enabled listening sockets.
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+ ssl-default-bind-options no-sslv3
+
+ maxconn 8192
+
+defaults
+ log global
+ mode http
+ option httplog
+ option dontlognull
+ timeout connect 5000
+ timeout client 50000
+ timeout server 50000
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+
+
+#frontend front
+# bind :::80 v4v6 tfo
+# redirect scheme https code 301 if !{ ssl_fc }
+
+frontend front_ssl
+ bind :::443 v4v6 tfo ssl crt /etc/ssl/private/snapshot.debian.org.key-certchain
+
+ default_backend backend
+
+ option http-keep-alive
+ #option redispatch
+
+backend backend
+ # a http backend
+ mode http
+ option http-keep-alive
+
+ timeout http-keep-alive 15s
+
+ server varnish 127.0.0.1:6081
+
+ http-response set-header Strict-Transport-Security "max-age=15768000; preload"
+ #http-response del-header Server