# 01-07 HAProxy - 3.4 HTTPS 健康检查（443 应用层，HAProxy 终结 TLS，由 HAProxy 提供证书）
# frontend 需 bind *:443 ssl，backend mode http 连 K3s:443 做 HTTP over TLS 检查
# 将 your-ingress.example.com 改为实际 Host；将 /etc/ssl/haproxy.pem 改为实际证书路径
# 自签/内网 CA 用 verify none，生产建议 ca-file
# 文档：docs/01-07-openwrt-haproxy.md 第 3.4 节
global
    log /dev/log local0
    maxconn 4096

defaults
    mode http
    option httplog
    timeout connect 5s
    timeout client 30s
    timeout server 30s

frontend http_in
    bind *:18080
    default_backend k3s_http

frontend https_in
    bind *:18443 ssl crt /etc/ssl/haproxy.pem
    mode http
    default_backend k3s_https

backend k3s_http
    balance roundrobin
    server ylc61 192.168.2.61:80 check
    server ylc62 192.168.2.62:80 check
    server ylc63 192.168.2.63:80 check
    server ylc64 192.168.2.64:80 check

backend k3s_https
    mode http
    option httpchk GET / HTTP/1.1\r\nHost:\ your-ingress.example.com
    default-server ssl verify none
    balance roundrobin
    server ylc61 192.168.2.61:443 check
    server ylc62 192.168.2.62:443 check
    server ylc63 192.168.2.63:443 check
    server ylc64 192.168.2.64:443 check