global
    daemon
    maxconn 256
    log stdout  format raw  local0  debug
    lua-load /etc/haproxy/scripts/register.lua
    stats socket /var/run/haproxy.sock mode 666 level admin

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80

	# acl for ddos_mode_enabled = global enabled OR domain enabled
	acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
    acl ddos_mode_enabled hdr(host) -i -f /etc/haproxy/ddos.map
    #TODO: add ORs here for auto enable on traffic pattern

	# check captcha cookie, separate map allows to disable captcha (still keeping POW)
    acl captcha_passed var(txn.captcha_passed) -m bool
    acl captcha_passed hdr(host),map_str(/etc/haproxy/no_captcha.map) -m found

	# check proof of work cookie
	acl pow_passed var(txn.pow_passed) -m bool
    
    acl on_captcha_url path -m beg /bot-check
    acl is_excluded path_end -i .js .ico

    http-request use-service lua.hcaptcha-view	if on_captcha_url !is_excluded
    http-request lua.hcaptcha-check          if !is_excluded !on_captcha_url ddos_mode_enabled
    http-request lua.pow-check          if !is_excluded !on_captcha_url ddos_mode_enabled
    http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded

    default_backend servers

backend servers
    server server1 nginx:80 maxconn 32

backend hcaptcha
	mode http
	server hcaptcha hcaptcha.com:443