haproxy: add deny_ips file to reject connections

This commit is contained in:
Jérémy Lecour 2020-06-14 23:28:29 +02:00 committed by Gitea
parent d26d501b2c
commit 4c4771b3ab
4 changed files with 15 additions and 0 deletions

View File

@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
### Added
* certbot: detect HAProxy cert directory
* haproxy: add deny_ips file to reject connections
* haproxy: add some comments to default config
* haproxy: enable stats frontend with access lists
* haproxy: preconfigure SSL with defaults

View File

@ -11,6 +11,7 @@ haproxy_chroot: /var/lib/haproxy
haproxy_stats_access_ips: []
haproxy_stats_admin_ips: []
haproxy_maintenance_ips: []
haproxy_deny_ips: []
haproxy_stats_enable: False
haproxy_stats_bind: "*:8080 ssl crt /etc/haproxy/ssl/"

View File

@ -76,6 +76,16 @@
{% endfor %}
notify: reload haproxy
- name: HAProxy deny_ips are present
blockinfile:
dest: /etc/haproxy/deny_ips
create: yes
block: |
{% for ip in haproxy_deny_ips | default([]) %}
{{ ip }}
{% endfor %}
notify: reload haproxy
- include: packages_backports.yml
when: haproxy_backports

View File

@ -70,6 +70,9 @@ listen stats
# # Detect Let's Encrypt challenge requests
# acl letsencrypt path_dir -i /.well-known/acme-challenge
#
# # Reject the request at the TCP level if source is in the denylist
# tcp-request connection reject if { src -f /etc/haproxy/deny_ips }
#
# http-request set-header X-Forwarded-Proto https if { ssl_fc }
# http-request set-header X-Forwarded-Port 443 if { ssl_fc }
#