global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
        # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
        # set default parameters to the intermediate configuration
        ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
        ssl-default-server-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
        ssl-dh-param-file /path/to/dhparam

defaults
#       enables tcplog so disabled
#       log     global
        mode    http
#       option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http


# TCP LB (443)
frontend 443-in
          bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
          bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
          mode tcp

        # DoT
        use_backend dns-dot if { ssl_fc_sni dot.domain.pem }

# TCP LB (853)
frontend 853-in
	bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
	bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
	mode tcp

	# DoT
	use_backend dns-dot if { ssl_fc_sni dot.domain }

# TCP LB (443)
frontend 443-in-doh
	bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2
        bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2

        mode http

        http-response set-header Strict-Transport-Security max-age=63072000
	http-response set-header X-Frontend lv1

	use_backend check if { path /check }

	use_backend dns-doh if { hdr(host) -i doh.domain }


backend dns-dot
	mode tcp
	server dot 127.0.0.1:5353 check

backend dns-doh
        mode http
        server dns-doh 127.0.0.1:8053 check

backend check
        mode http
        errorfile 503 /root/dns/check.http

http-response set-header Strict-Transport-Security max-age=63072000