updated haproxy state

This commit is contained in:
Paul 2024-02-07 22:00:15 +01:00
parent 4e95093f8e
commit 7f5b3f51a3
3 changed files with 39 additions and 17 deletions

View File

@ -11,6 +11,7 @@ haproxy:
- libjansson-dev - libjansson-dev
maps: maps:
- access - access
- allowhttp
- countries - countries
- domains - domains
- redirects - redirects

View File

@ -78,6 +78,14 @@ backend admin from {{ haproxy.config.namespace }}
# Runtime API # Runtime API
stats socket {{ haproxy.config.api.tcpsocket }} level admin stats socket {{ haproxy.config.api.tcpsocket }} level admin
stats socket {{ haproxy.config.api.filesocket }} mode 666 level admin stats socket {{ haproxy.config.api.filesocket }} mode 666 level admin
{%- endmacro %}
{%- macro geoip() %}
# GeoIP
http-request set-var(txn.country) lua.country(req.src)
http-request return status 200 content-type "text/html; charset=utf-8" lf-string "<html><body><p>ip: %[var(req.src)]</p><p>country: %[lua.country(req.src)]</p><p>city: %[lua.city(req.src)]<p></body></html>" if self_host path_location
acl allowed_country var(txn.country),map_str(/etc/haproxy/maps/countries,OK) OK
http-response deny deny_status 451 content-type text/plain string "Denied" if !allowed_country !internal
{%- endmacro %} {%- endmacro %}
# Global config # Global config
@ -149,19 +157,34 @@ frontend fe_http from {{ haproxy.config.namespace }}
## ACLs ## ACLs
acl http ssl_fc,not acl http ssl_fc,not
acl self_host req.hdr(Host) {{ fqdn }} acl self_host req.hdr(Host) {{ fqdn }}
acl internal src -f {{ haproxy.config.dir }}/maps/access
acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found
acl allowhttp req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/allowhttp) -m found
acl ua req.hdr(User-Agent),map_beg(/etc/haproxy/maps/ua) -m found
acl security_txt path /.well-known/security.txt
acl robots_txt path /robots.txt
acl max_req_rate sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200) }}
acl path_root path / acl path_root path /
acl path_host path_dir /host acl path_info path /info
acl path_date path_dir /date acl path_location path /location
acl path_srchash path_dir /srchash
## Basic rules ## Basic rules
http-request set-var(txn.srchash) src,crc32,mod(100) http-request set-var(txn.srchash) src,crc32,mod(100)
http-request set-var(txn.httpdate) date,http_date() http-request set-var(txn.httpdate) date,http_date()
http-request set-var(req.src) src
http-request set-var(req.host) req.hdr(Host)
http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host http-request return status 200 content-type text/html lf-string "host: %H\ndate: %[var(txn.httpdate)]\nsrchash: %[var(txn.srchash)]\n" if self_host path_info
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date {%- if haproxy.config.geoip.enabled %}
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash # GeoIP
http-request redirect scheme https if http {{ geoip() }}
{%- endif %}
http-request redirect scheme https if http !allowhttp
use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts)] if domains
use_backend %[req.hdr(User-Agent),map_beg({{ haproxy.config.dir }}/maps/ua)] if ua
default_backend {{ ns.default_backend }}
# Default HTTPS frontend # Default HTTPS frontend
frontend fe_https from {{ haproxy.config.namespace }} frontend fe_https from {{ haproxy.config.namespace }}
@ -185,9 +208,7 @@ frontend fe_https from {{ haproxy.config.namespace }}
acl max_req_rate sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200) }} acl max_req_rate sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200) }}
acl self_host req.hdr(Host) {{ fqdn }} acl self_host req.hdr(Host) {{ fqdn }}
acl path_root path / acl path_root path /
acl path_host path_dir /host acl path_info path /info
acl path_date path_dir /date
acl path_srchash path /srchash
acl path_location path /location acl path_location path /location
## Basic rules ## Basic rules
@ -212,18 +233,13 @@ frontend fe_https from {{ haproxy.config.namespace }}
{%- if haproxy.config.geoip.enabled %} {%- if haproxy.config.geoip.enabled %}
# GeoIP # GeoIP
http-request set-var(txn.country) lua.country(req.src) {{ geoip() }}
http-request return status 200 content-type "text/html; charset=utf-8" lf-string "<html><body><p>ip: %[var(req.src)]</p><p>country: %[lua.country(req.src)]</p><p>city: %[lua.city(req.src)]<p></body></html>" if self_host path_location
acl allowed_country var(txn.country),map_str(/etc/haproxy/maps/countries,OK) OK
http-response deny deny_status 451 content-type text/plain string "Denied" if !allowed_country !internal
{%- endif %} {%- endif %}
## Returns ## Returns
http-request return status 200 content-type text/plain string "User-agent: *\r\nAllow: /" if robots_txt http-request return status 200 content-type text/plain string "User-agent: *\r\nAllow: /" if robots_txt
http-request return status 200 content-type text/plain string "Contact: mailto:{{ haproxy.config.syscontact }}" if security_txt http-request return status 200 content-type text/plain string "Contact: mailto:{{ haproxy.config.syscontact }}" if security_txt
http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host http-request return status 200 content-type text/html lf-string "host: %H\ndate: %[var(txn.httpdate)]\nsrchash: %[var(txn.srchash)]\n" if self_host path_info
http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
## Headers ## Headers
http-request set-header X-Proxy-Id "%H" http-request set-header X-Proxy-Id "%H"

View File

@ -0,0 +1,5 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "haproxy/map.jinja" import haproxy with context %}
{%- for name, values in haproxy.config.vhosts.items() %}
{{ name }} {{ 'true' if values.allowhttp|default(false) else 'false' }}
{%- endfor %}