haproxy: possible admin access with login/pass
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Jérémy Lecour 2021-02-27 18:43:59 +01:00 committed by Jérémy Lecour
parent 92b7ce0acd
commit 1f4079b1b3
3 changed files with 23 additions and 2 deletions

View File

@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
* apache: new variables for logrotate + server-status * apache: new variables for logrotate + server-status
* filebeat: package can be upgraded to latest (default: False) * filebeat: package can be upgraded to latest (default: False)
* haproxy: possible admin access with login/pass
* metricbeat: package can be upgraded to latest (default: False) * metricbeat: package can be upgraded to latest (default: False)
* nagios-nrpe: new script check_phpfpm_multi * nagios-nrpe: new script check_phpfpm_multi
* nginx: add access to server status on default VHost * nginx: add access to server status on default VHost

View File

@ -18,6 +18,10 @@ haproxy_chroot: /var/lib/haproxy
haproxy_stats_access_ips: [] haproxy_stats_access_ips: []
haproxy_stats_admin_ips: [] haproxy_stats_admin_ips: []
haproxy_stats_users: []
## use crypt(8) password encryption
# haproxy_stats_users:
# - { login: "", password: "" }
haproxy_maintenance_ips: [] haproxy_maintenance_ips: []
haproxy_deny_ips: [] haproxy_deny_ips: []

View File

@ -35,18 +35,34 @@ defaults
errorfile 504 /etc/haproxy/errors/504.http errorfile 504 /etc/haproxy/errors/504.http
{% if haproxy_stats_enable %} {% if haproxy_stats_enable %}
{% if haproxy_stats_users %}
userlist stats_users
{% for user in haproxy_stats_users | default([]) %}
user {{ user.login }} password {{ user.password }}
{% endfor %}
{% endif %}
listen stats listen stats
mode http mode http
bind {{ haproxy_stats_bind_directive }} bind {{ haproxy_stats_bind_directive }}
acl stats_access_ips src -f /etc/haproxy/stats_access_ips
acl stats_admin_ips src -f /etc/haproxy/stats_admin_ips
stats enable stats enable
stats refresh 10s stats refresh 10s
stats uri {{ haproxy_stats_path }} stats uri {{ haproxy_stats_path }}
stats show-legends stats show-legends
stats show-node stats show-node
stats admin if { src -f /etc/haproxy/stats_admin_ips } stats admin if stats_admin_ips
{% if haproxy_stats_users %}
acl stats_users http_auth(stats_users)
stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
{% else %}
stats http-request deny if !stats_access_ips
{% endif %}
http-request deny if !{ src -f /etc/haproxy/stats_access_ips }
http-request set-log-level silent http-request set-log-level silent
{% endif %} {% endif %}