Haproxy: Allow staging backends to be accessed from source ips

OpenConext · Oct 30, 2023 · 06a0493 · 06a0493
1 parent 14330d4
commit 06a0493
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 4 deletions.
diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
@@ -21,3 +21,6 @@ haproxy_internalips:
   - 0.0.0.0/0
   - ::0/0
 haproxy_hsts_value: "max-age=34214400"
+# If you have a staging server you want to be accessed from certain ips, and them to this list
+haproxy_stagingips:
+  - ''
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
@@ -147,6 +147,7 @@
     - allowedips.acl
     - blockedips.acl
     - internalips.acl
+    - stagingips.acl
   notify:
     - "reload haproxy"
 

diff --git a/roles/haproxy/templates/haproxy_frontend.cfg.j2 b/roles/haproxy/templates/haproxy_frontend.cfg.j2
@@ -58,9 +58,10 @@ frontend internet_ip
 frontend local_ip
     bind 127.0.0.1:81 accept-proxy
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsunrestricted.acl
+    acl staging req.cook(staging) -m str true
+    acl staging src -f /etc/haproxy/acls/stagingips.acl
     acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
-    acl stagingcookie req.cook(staging) -m str true
-    use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost stagingcookie
+    use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
     capture request header User-agent len 256
@@ -151,9 +152,10 @@ frontend internet_restricted_ip
 frontend localhost_restricted    
     bind 127.0.0.1:82 accept-proxy
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsrestricted.acl
+    acl staging req.cook(staging) -m str true
+    acl staging src -f /etc/haproxy/acls/stagingips.acl
     acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
-    acl stagingcookie req.cook(staging) -m str true
-    use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost stagingcookie
+    use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
     capture request header User-agent len 256

diff --git a/roles/haproxy/templates/stagingips.acl.j2 b/roles/haproxy/templates/stagingips.acl.j2
@@ -0,0 +1,3 @@
+{% for ip in haproxy_stagingips %}
+{{ ip }}
+{% endfor %}