From 4c4771b3ab783543b54dd1ec092a2a4763696886 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sun, 14 Jun 2020 23:28:29 +0200
Subject: [PATCH] haproxy: add deny_ips file to reject connections

---
 CHANGELOG.md                             |  1 +
 haproxy/defaults/main.yml                |  1 +
 haproxy/tasks/main.yml                   | 10 ++++++++++
 haproxy/templates/haproxy.default.cfg.j2 |  3 +++
 4 files changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 360945fc..5e153fdd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
 ### Added
 
 * certbot: detect HAProxy cert directory
+* haproxy: add deny_ips file to reject connections
 * haproxy: add some comments to default config
 * haproxy: enable stats frontend with access lists
 * haproxy: preconfigure SSL with defaults
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index 64d061ef..55452db8 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -11,6 +11,7 @@ haproxy_chroot: /var/lib/haproxy
 haproxy_stats_access_ips: []
 haproxy_stats_admin_ips: []
 haproxy_maintenance_ips: []
+haproxy_deny_ips: []
 
 haproxy_stats_enable: False
 haproxy_stats_bind: "*:8080 ssl crt /etc/haproxy/ssl/"
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index 9fade1a6..f4ce3d79 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -76,6 +76,16 @@
       {% endfor %}
   notify: reload haproxy
 
+- name: HAProxy deny_ips are present
+  blockinfile:
+    dest: /etc/haproxy/deny_ips
+    create: yes
+    block: |
+      {% for ip in haproxy_deny_ips | default([]) %}
+      {{ ip }}
+      {% endfor %}
+  notify: reload haproxy
+
 - include: packages_backports.yml
   when: haproxy_backports
 
diff --git a/haproxy/templates/haproxy.default.cfg.j2 b/haproxy/templates/haproxy.default.cfg.j2
index 43576ce9..35f8a858 100644
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@@ -70,6 +70,9 @@ listen stats
 #     # Detect Let's Encrypt challenge requests
 #     acl letsencrypt path_dir -i /.well-known/acme-challenge
 # 
+#     # Reject the request at the TCP level if source is in the denylist
+#     tcp-request connection reject if { src -f /etc/haproxy/deny_ips }
+# 
 #     http-request set-header X-Forwarded-Proto https if { ssl_fc }
 #     http-request set-header X-Forwarded-Port 443 if { ssl_fc }
 #