Relocate reverse-proxy example configurations and update docs/configuring-playbook-own-webserver.md with more details

examples/reverse-proxies/haproxy/README.md

@@ -0,0 +1,9 @@
+# HAproxy reverse-proxy
+
+This directory contains sample files that show you how to do reverse-proxying using HAproxy.
+
+This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook.
+
+We recommend that you use HAProxy in front of Traefik. See our [Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation.
+
+You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy.

examples/reverse-proxies/haproxy/haproxy.cfg

@@ -0,0 +1,81 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+
+defaults
+	log global
+	mode http
+	option httplog
+	option dontlognull
+	option forwardfor
+	option redispatch
+	timeout connect 5000
+	timeout client  50000
+	timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+frontend https-frontend
+    bind *:80
+    # HAproxy wants the full chain and the private key in one file. For Letsencrypt manually generated certs (e.g., wildcard certs) you can use
+    # cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/haproxy/certs/star-example.com.pem
+    bind *:443 ssl crt /etc/haproxy/certs/star-example.com.pem
+    #bind *:443 ssl crt /etc/haproxy/certs/element.example.com.pem /etc/haproxy/certs/matrix.example.com.pem
+    reqadd X-Forwarded-Proto:\ https
+    option httplog
+    option http-server-close
+
+    # You can do per-domain routing (as shown above),
+	# or just send everything to the same backend via `default_backend`.
+
+    acl matrix_domain hdr_dom(host) -i matrix.example.com
+    use_backend matrix-main if matrix_domain
+
+    acl matrix_domain hdr_dom(host) -i element.example.com
+    use_backend matrix-main if matrix_domain
+
+    #default_backend matrix-main
+
+frontend matrix-federation
+  bind *:8448 ssl crt /etc/haproxy/certs/star-example.com.pem
+  reqadd X-Forwarded-Proto:\ https
+  option httplog
+  option http-server-close
+  default_backend synapse
+
+backend matrix-main
+     server matrix-main 127.0.0.1:81 check
+
+backend matrix-federation
+     server matrix-federation 127.0.0.1:8049 check
+
+backend nginx-static
+     capture request header origin len 128
+     http-response add-header Access-Control-Allow-Origin *
+     rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
+     rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
+     rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }
+     server nginx 127.0.0.1:40888 check
+
+backend element
+     server element 127.0.0.1:8765 check
+