# This is a test configuration. It listens on port 8443, waits for an incoming
# connection, and applies the following rules :
#   - if the address is in the white list, then accept it and forward the
#     connection to the server (local port 443)
#   - if the address is in the black list, then immediately drop it
#   - otherwise, wait up to 3 seconds for valid SSL data to come in. If those
#     data are identified as SSL, the connection is immediately accepted, and
#     if they are definitely identified as non-SSL, the connection is rejected,
#     which will happen upon timeout if they still don't match SSL.

listen block-non-ssl
	log 127.0.0.1:514 local0
	option tcplog

	mode tcp
	bind :8443
	timeout  client 6s
	timeout  server 6s
	timeout connect 6s

	tcp-request inspect-delay 4s

	acl white_list src 127.0.0.2
	acl black_list src 127.0.0.3

	# note: SSLv2 is not used anymore, SSLv3.1 is TLSv1.
	acl obsolete_ssl  req_ssl_ver   lt 3
	acl correct_ssl   req_ssl_ver   3.0-3.1
	acl invalid_ssl   req_ssl_ver   gt 3.1

	tcp-request content accept if white_list
	tcp-request content reject if black_list
	tcp-request content reject if !correct_ssl

	balance roundrobin
	server srv1 127.0.0.1:443