Browse Source

haproxy: possible admin access with login/pass

pull/124/head
Jérémy Lecour 2 months ago
committed by Jérémy Lecour
parent
commit
1f4079b1b3
  1. 1
      CHANGELOG.md
  2. 4
      haproxy/defaults/main.yml
  3. 20
      haproxy/templates/haproxy.default.cfg.j2

1
CHANGELOG.md

@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
* apache: new variables for logrotate + server-status
* filebeat: package can be upgraded to latest (default: False)
* haproxy: possible admin access with login/pass
* metricbeat: package can be upgraded to latest (default: False)
* nagios-nrpe: new script check_phpfpm_multi
* nginx: add access to server status on default VHost

4
haproxy/defaults/main.yml

@ -18,6 +18,10 @@ haproxy_chroot: /var/lib/haproxy
haproxy_stats_access_ips: []
haproxy_stats_admin_ips: []
haproxy_stats_users: []
## use crypt(8) password encryption
# haproxy_stats_users:
# - { login: "", password: "" }
haproxy_maintenance_ips: []
haproxy_deny_ips: []

20
haproxy/templates/haproxy.default.cfg.j2

@ -35,18 +35,34 @@ defaults
errorfile 504 /etc/haproxy/errors/504.http
{% if haproxy_stats_enable %}
{% if haproxy_stats_users %}
userlist stats_users
{% for user in haproxy_stats_users | default([]) %}
user {{ user.login }} password {{ user.password }}
{% endfor %}
{% endif %}
listen stats
mode http
bind {{ haproxy_stats_bind_directive }}
acl stats_access_ips src -f /etc/haproxy/stats_access_ips
acl stats_admin_ips src -f /etc/haproxy/stats_admin_ips
stats enable
stats refresh 10s
stats uri {{ haproxy_stats_path }}
stats show-legends
stats show-node
stats admin if { src -f /etc/haproxy/stats_admin_ips }
stats admin if stats_admin_ips
{% if haproxy_stats_users %}
acl stats_users http_auth(stats_users)
stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
{% else %}
stats http-request deny if !stats_access_ips
{% endif %}
http-request deny if !{ src -f /etc/haproxy/stats_access_ips }
http-request set-log-level silent
{% endif %}

Loading…
Cancel
Save