From 06a04939ba2edec774dc9f240d36680474a3d873 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Fri, 27 Oct 2023 14:57:46 +0200
Subject: [PATCH] Haproxy: Allow staging backends to be accessed from source
 ips

---
 roles/haproxy/defaults/main.yml                 |  3 +++
 roles/haproxy/tasks/main.yml                    |  1 +
 roles/haproxy/templates/haproxy_frontend.cfg.j2 | 10 ++++++----
 roles/haproxy/templates/stagingips.acl.j2       |  3 +++
 4 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 roles/haproxy/templates/stagingips.acl.j2

diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
index db8a0980b..aa70d5570 100644
--- a/roles/haproxy/defaults/main.yml
+++ b/roles/haproxy/defaults/main.yml
@@ -21,3 +21,6 @@ haproxy_internalips:
   - 0.0.0.0/0
   - ::0/0
 haproxy_hsts_value: "max-age=34214400"
+# If you have a staging server you want to be accessed from certain ips, and them to this list
+haproxy_stagingips:
+  - ''
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index 6ddcf0361..708f91329 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -147,6 +147,7 @@
     - allowedips.acl
     - blockedips.acl
     - internalips.acl
+    - stagingips.acl
   notify:
     - "reload haproxy"
 
diff --git a/roles/haproxy/templates/haproxy_frontend.cfg.j2 b/roles/haproxy/templates/haproxy_frontend.cfg.j2
index 189fcd076..d44d88a8d 100644
--- a/roles/haproxy/templates/haproxy_frontend.cfg.j2
+++ b/roles/haproxy/templates/haproxy_frontend.cfg.j2
@@ -58,9 +58,10 @@ frontend internet_ip
 frontend local_ip
     bind 127.0.0.1:81 accept-proxy
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsunrestricted.acl
+    acl staging req.cook(staging) -m str true
+    acl staging src -f /etc/haproxy/acls/stagingips.acl
     acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
-    acl stagingcookie req.cook(staging) -m str true
-    use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost stagingcookie
+    use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
     capture request header User-agent len 256
@@ -151,9 +152,10 @@ frontend internet_restricted_ip
 frontend localhost_restricted    
     bind 127.0.0.1:82 accept-proxy
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsrestricted.acl
+    acl staging req.cook(staging) -m str true
+    acl staging src -f /etc/haproxy/acls/stagingips.acl
     acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
-    acl stagingcookie req.cook(staging) -m str true
-    use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost stagingcookie
+    use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
     capture request header User-agent len 256
diff --git a/roles/haproxy/templates/stagingips.acl.j2 b/roles/haproxy/templates/stagingips.acl.j2
new file mode 100644
index 000000000..afa15c617
--- /dev/null
+++ b/roles/haproxy/templates/stagingips.acl.j2
@@ -0,0 +1,3 @@
+{% for ip in haproxy_stagingips %}
+{{ ip }}
+{% endfor %}