haproxy-test/haproxy.cfg

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon
   ssl-dh-param-file /etc/haproxy/dhparam4096.pem

defaults
   log global
#   mode tcp
   mode http
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000
   option http-server-close 

#### Main fron end ####
frontend main_front
   bind *:80
   bind *:443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
#   http-request redirect scheme https unless { ssl_fc }
    redirect scheme https code 301 if !{ ssl_fc }

   #### Stats Page ####
   stats uri /haproxy?stats
   stats auth nick:sBbGmTah67npAPvehEmi5q9NwS5GA

   #### Set correct IP ####
   acl from_cf    src -f /etc/haproxy/cloudflare_ips.lst
   acl cf_ip_hdr  req.hdr(CF-Connecting-IP) -m found
#   http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr
   http-request set-header real-ip1 %[req.hdr(CF-Connecting-IP)] if from_cf cf_ip_hdr

   #### WP admin to single server ####
   acl url_is_wp_admin path_beg /wp-admin /wp-login.php /manage /securein
   use_backend adminServerHTTP if url_is_wp_admin

   #### LE cert ####
   acl letsencrypt-acl path_beg /.well-known/acme-challenge/
   use_backend letsencrypt-backend if letsencrypt-acl

   #### Configure Backends ####
   default_backend webserversHTTP

#### Main Backend ####
backend webserversHTTP
   balance roundrobin
   server web01 10.108.0.2:80 check
   server web02 10.108.0.5:80 check

#### Admin server ####
backend adminServerHTTP
   balance roundrobin
   server web01 10.108.0.2:80 check
   server web02 10.108.0.5:80 check

#### LE Backend ####
backend letsencrypt-backend
    server letsencrypt 127.0.0.1:8080