web: refactor nginx config

services/haproxy-acme.nix

@@ -20,23 +20,28 @@ let
       ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
       ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
     defaults
+      mode http
       option forwardfor
       option http-server-close
+      option httplog
+      option dontlognull
       timeout client 10s
       timeout connect 4s
       timeout server 30s
+      timeout tunnel 3600s
       errorfile 503 ${./errorfiles/503.html}
     userlist LOUTRE
       user paul password $6$YNjCpiPABu9$.iEp.3BgoswHcX3SMjz1/CiyqFQn/fjnxtT9CWBqQHBKynvK2kh/i62ije0WmCvhKRUhy9gdVbJStM3ciGXnC1
-    frontend public
+    frontend http-in
       bind :::80 v4v6
-      bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
-      mode http
       acl letsencrypt-acl path_beg /.well-known/acme-challenge/
-      acl haproxy-acl path_beg /haproxy
-      redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
-      http-response set-header Strict-Transport-Security max-age=15768000
       use_backend letsencrypt-backend if letsencrypt-acl
+      redirect scheme https code 301 if !letsencrypt-acl
+    frontend public
+      bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1
+      http-response set-header Strict-Transport-Security max-age=15768000
+      http-request add-header X-Forwarded-Proto https
+      acl haproxy-acl path_beg /haproxy
       use_backend haproxy_stats if haproxy-acl
     ${concatStrings (
       mapAttrsToList (name: value: