#
# demo config for Proxy mode
# 

global
        maxconn         20000
	ulimit-n	16384
        log             127.0.0.1 local0
        uid             200
        gid             200
        chroot          /var/empty
        daemon

frontend test-proxy
	bind		192.168.200.10:8080
        mode            http
        log             global
        option          httplog
        option          dontlognull
        maxconn         8000
        timeout client  30s

	# layer3: Valid users
	acl allow_host src 192.168.200.150/32
	http-request deny if !allow_host

	# layer7: prevent private network relaying
	acl forbidden_dst url_ip 192.168.0.0/24
	acl forbidden_dst url_ip 172.16.0.0/12
	acl forbidden_dst url_ip 10.0.0.0/8
	http-request deny if forbidden_dst

	default_backend test-proxy-srv


backend test-proxy-srv
	mode            http
	timeout connect 5s
	timeout server  5s
	retries         2

	# layer7: Only GET method is valid
	acl valid_method        method GET
	http-request deny if !valid_method

	# take IP address from URL's authority
	# and drop scheme+authority from URI
	http-request set-dst url_ip
	http-request set-dst-port url_port
	http-request set-uri %[pathq]
	server next-hop 0.0.0.0

	# layer7: protect bad reply
	http-response deny if { res.hdr(content-type) audio/mp3 }