From 1f4079b1b36437f4d21ddb53ff395a0d5a83d870 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 27 Feb 2021 18:43:59 +0100
Subject: [PATCH] haproxy: possible admin access with login/pass

---
 CHANGELOG.md                             |  1 +
 haproxy/defaults/main.yml                |  4 ++++
 haproxy/templates/haproxy.default.cfg.j2 | 20 ++++++++++++++++++--
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bdfcd6a1..3bafe3ab 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
 
 * apache: new variables for logrotate + server-status
 * filebeat: package can be upgraded to latest (default: False)
+* haproxy: possible admin access with login/pass
 * metricbeat: package can be upgraded to latest (default: False)
 * nagios-nrpe: new script check_phpfpm_multi
 * nginx: add access to server status on default VHost
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index 42f5483b..c69f48d3 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -18,6 +18,10 @@ haproxy_chroot: /var/lib/haproxy
 
 haproxy_stats_access_ips: []
 haproxy_stats_admin_ips: []
+haproxy_stats_users: []
+## use crypt(8) password encryption 
+# haproxy_stats_users:
+#   - { login: "", password: "" }
 haproxy_maintenance_ips: []
 haproxy_deny_ips: []
 
diff --git a/haproxy/templates/haproxy.default.cfg.j2 b/haproxy/templates/haproxy.default.cfg.j2
index 5e4c4b9f..1e6f8be1 100644
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@@ -35,18 +35,34 @@ defaults
     errorfile 504 /etc/haproxy/errors/504.http
 
 {% if haproxy_stats_enable %}
+{% if haproxy_stats_users %}
+userlist stats_users
+{% for user in haproxy_stats_users | default([]) %}
+  user {{ user.login }} password {{ user.password }}
+{% endfor %}
+
+{% endif %}
 listen stats
     mode http
     bind {{ haproxy_stats_bind_directive }}
 
+    acl stats_access_ips src -f /etc/haproxy/stats_access_ips
+    acl stats_admin_ips  src -f /etc/haproxy/stats_admin_ips
+
     stats enable
     stats refresh 10s
     stats uri {{ haproxy_stats_path }}
     stats show-legends
     stats show-node
-    stats admin if { src -f /etc/haproxy/stats_admin_ips }
+    stats admin if stats_admin_ips
+
+{% if haproxy_stats_users %}
+    acl stats_users http_auth(stats_users)
+    stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
+{% else %}
+    stats http-request deny if !stats_access_ips
+{% endif %}
 
-    http-request deny if !{ src -f /etc/haproxy/stats_access_ips }
     http-request set-log-level silent
 {% endif %}