## NEW HTTP2 CONFIG ###
## Thanks to DNSWARDEN.com author: @bhanupratapys

global
        no log
        chroot /var/lib/haproxy
        user haproxy
        group haproxy
        pidfile  /var/run/haproxy.pid
        tune.ssl.default-dh-param  2048

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        ssl-dh-param-file /etc/haproxy/dhparam.pem
        ssl-default-bind-ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
        option  dontlognull
        retries 1
	timeout connect 5s
        timeout check 5s
        timeout queue 10s
        timeout client 60s
        timeout client-fin 1s
        timeout server-fin 1s
        timeout server 30s
        timeout tunnel 10m
        timeout http-request 10s

#bind :::443 v4v6  ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2,http/1.1
#bind :::443 v4v6 tfo ssl crt /etc/haproxy/dot-jp.blahdns.pem

frontend front_end_dot_853
    mode tcp
    bind 0.0.0.0:853
    bind :::853
    acl tls req.ssl_hello_type 1
    tcp-request inspect-delay 2s
    tcp-request content accept if tls
    use_backend dot-uncensor  if { req_ssl_sni -i dot-jp.blahdns.com }
    default_backend dot-uncensor

frontend front_end_doh_dot_443
    mode tcp
    bind 0.0.0.0:443
    bind :::443
    acl tls req.ssl_hello_type 1
    tcp-request inspect-delay 2s
    tcp-request content accept if tls
    use_backend doh-front if { req_ssl_sni -i doh-jp.blahdns.com }
    use_backend dot-uncensor  if { req_ssl_sni -i dot-jp.blahdns.com }
    default_backend dot-uncensor

frontend dot-in-uncensor
    mode tcp
    bind 127.150.150.150:15000 ssl crt /etc/haproxy/dot-jp.blahdns.pem
    default_backend dot-servers-uncensor

frontend doh-in
    mode http
    bind 127.250.250.250:25000 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2
    acl adblock_url path_beg -i /dns-query
    use_backend doh-servers-uncensor if adblock_url


backend dot-uncensor
    mode tcp
    #balance source
    server dot-uncensor-haproxy-ssl 127.150.150.150:15000 check

backend doh-front
    mode tcp
    #balance source
    server doh-haproxy-ssl 127.250.250.250:25000 check


backend dot-servers-uncensor
    mode tcp
    server dns-uncensor 127.0.0.1:50


backend doh-servers-uncensor
    mode http
    http-response del-header server
    http-response del-header x-powered-by
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
    server doh-proxy-uncensor 127.0.0.1:3000

### End ####

### Start old config as backup, igonre it ###

global
        #log /dev/log    local0
        no log
        chroot /var/lib/haproxy
        user haproxy
        group haproxy
        maxconn  3000
        pidfile  /var/run/haproxy.pid
        tune.ssl.default-dh-param  2048
        #ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
        ssl-default-bind-ciphers TLS13-CHACHA20-POLY1305-SHA256:EECDH+CHACHA20:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
 	ssl-default-bind-options no-tls-tickets no-sslv3 no-tlsv10 no-tlsv11
        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

defaults
        option  dontlognull
        option  http-server-close
        retries 1
	option  http-use-htx
        maxconn 3000
        timeout check 5s
        timeout queue 10s
        timeout client 30s
        timeout client-fin 3s
        timeout server-fin 3s
        timeout server 30s
        timeout tunnel 5m
        timeout http-request 10s
        option http-keep-alive

frontend doh-in
    #mode tcp
    no log
    #bind *:443 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2
    bind :::443 v4v6 tfo ssl crt /etc/haproxy/dot-jp.blahdns.pem
    http-response set-header Strict-Transport-Security "max-age=31536000"
    tcp-request inspect-delay 2s
    tcp-request content accept if HTTP
    tcp-request content accept if { req.ssl_hello_type 1 }
    use_backend dot-server if { req.ssl_hello_type 1 }
    acl dns_url path_beg -i /dns-query

    use_backend doh-server if dns_url
    #use_backend doh-server if HTTP
    default_backend dot-server

#listen http-in

backend dot-server
    mode tcp
    server dns 127.0.0.1:50 maxconn 20

backend doh-server
    #http-response set-header Strict-Transport-Security "max-age=31536000"
    option forwardfor
    server doh-proxy 127.0.0.1:3000 maxconn 20