haproxy: enable stats frontend with access lists

2020-06-09 11:41:26 +02:00 · 2020-06-09 11:41:26 +02:00 · 45731c7755
parent f5d06ad0b1
commit 45731c7755
4 changed files with 64 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release.

 ### Added

+* haproxy: enable stats frontend with access lists
 * lxc-php: Install php-sqlite by default
 * lxc-php: Don't disable putenv() by default in PHP settings
 * mysql: activate binary logs by specifying log_bin path
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@ -7,3 +7,10 @@ haproxy_force_config: True

 haproxy_socket: /run/haproxy/admin.sock
 haproxy_chroot: /var/lib/haproxy
+
+haproxy_stats_access_ips: []
+haproxy_stats_admin_ips: []
+haproxy_maintenance_ips: []
+
+haproxy_stats_enable: False
+haproxy_stats_bind: "*:8080 ssl crt /etc/haproxy/ssl/"
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@ -35,4 +35,40 @@
    - haproxy
    - config

+- name: HAProxy stats_access_ips are present
+  blockinfile:
+    dest: /etc/haproxy/stats_access_ips
+    create: yes
+    block: |
+      {% for ip in haproxy_stats_access_ips | default([]) %}
+      {{ ip }}
+      {% endfor %}
+  notify: reload haproxy
+  tags:
+    - haproxy
+    - config
+
+- name: HAProxy stats_admin_ips are present
+  blockinfile:
+    dest: /etc/haproxy/stats_admin_ips
+    create: yes
+    block: |
+      {% for ip in haproxy_stats_admin_ips | default([]) %}
+      {{ ip }}
+      {% endfor %}
+  notify: reload haproxy
+  tags:
+    - haproxy
+    - config
+
+- name: HAProxy maintenance_ips are present
+  blockinfile:
+    dest: /etc/haproxy/maintenance_ips
+    create: yes
+    block: |
+      {% for ip in haproxy_maintenance_ips | default([]) %}
+      {{ ip }}
+      {% endfor %}
+  notify: reload haproxy
+
 - include: munin.yml
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@ -37,3 +37,23 @@ defaults
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
+
+{% if haproxy_stats_enable %}
+listen stats
+    mode http
+    bind {{ haproxy_stats_bind }}
+
+    stats enable
+    stats refresh 10s
+    stats uri /
+    stats show-legends
+    stats show-node
+
+    acl stats_access_ips src -f /etc/haproxy/stats_access_ips
+    http-request deny if !stats_access_ips
+
+    acl stats_admin_ips src -f /etc/haproxy/stats_admin_ips
+    stats admin if stats_admin_ips
+
+    http-request set-log-level silent
+{% endif %}