From 4b05b3ead3669b5cb649215cd45a95807606b2c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20V=C3=B6lker?= Date: Wed, 8 Jun 2022 16:56:14 +0200 Subject: [PATCH 1/2] allow ACLs in stats --- templates/etc/haproxy/haproxy-stats.cfg.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/etc/haproxy/haproxy-stats.cfg.j2 b/templates/etc/haproxy/haproxy-stats.cfg.j2 index 0c69005..788ed61 100644 --- a/templates/etc/haproxy/haproxy-stats.cfg.j2 +++ b/templates/etc/haproxy/haproxy-stats.cfg.j2 @@ -10,6 +10,11 @@ listen stats {% endif %} mode http maxconn 10 +{% if haproxy_stats_acls is defined and haproxy_stats_acls|length %} + {% for acl in haproxy_stats_acls %} + acl {{ acl }} + {% endfor %} +{% endif %} stats enable {% for opt in haproxy_stats_options %} stats {{ opt }} From 5c746602c2a6907f6dbfe8ebac6d3b251cd66374 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20V=C3=B6lker?= Date: Wed, 8 Jun 2022 17:23:21 +0200 Subject: [PATCH 2/2] added configuration example and empty default --- README.md | 28 ++++++++++++++++++++++++++-- defaults/main.yml | 1 + 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1b1b2fd..3963115 100644 --- a/README.md +++ b/README.md @@ -123,8 +123,15 @@ haproxy_default_monitor_uri: # Userlist haproxy_userlist: - -# Stats + - stats-auth: + groups: + - "admin users admin" + - "readonly users user" + users: + - "admin insecure-password opqrstuvw" + - "user insecure-password abcdefghi" + +# Stats with HTTP Basic Auth and a single user haproxy_stats: true haproxy_stats_address: '*' haproxy_stats_port: 9001 @@ -145,6 +152,23 @@ haproxy_stats_timeouts: - connect 100s - queue 100s +# Stats with HTTP Basic Auth using an userlist +haproxy_stats: true +haproxy_stats_address: "::" +haproxy_stats_port: 8081 +haproxy_stats_ssl: false +haproxy_stats_uri: /stats +haproxy_stats_auth: +haproxy_stats_acls: + - "AUTH http_auth(stats-auth)" + - "AUTH_ADMIN http_auth_group(stats-auth) admin" +haproxy_stats_options: + - refresh 5s + - show-legends + - show-node + - http-request auth unless AUTH + - admin if AUTH_ADMIN + # SSL haproxy_ssl_certificate: /etc/ssl/uoi.io/uoi.io.pem haproxy_ssl_options: no-sslv3 no-tls-tickets force-tlsv12 diff --git a/defaults/main.yml b/defaults/main.yml index 178fc6a..6492fea 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -89,6 +89,7 @@ haproxy_stats_address: '*' haproxy_stats_port: 9001 haproxy_stats_ssl: false haproxy_stats_auth: true +haproxy_stats_acls: [] haproxy_stats_user: haproxy-stats haproxy_stats_password: B1Gp4sSw0rD!! haproxy_stats_uri: /