Release 10.1.0 #113
|
@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* certbot: detect HAProxy cert directory
|
* certbot: detect HAProxy cert directory
|
||||||
|
* haproxy: add deny_ips file to reject connections
|
||||||
* haproxy: add some comments to default config
|
* haproxy: add some comments to default config
|
||||||
* haproxy: enable stats frontend with access lists
|
* haproxy: enable stats frontend with access lists
|
||||||
* haproxy: preconfigure SSL with defaults
|
* haproxy: preconfigure SSL with defaults
|
||||||
|
|
|
@ -11,6 +11,7 @@ haproxy_chroot: /var/lib/haproxy
|
||||||
haproxy_stats_access_ips: []
|
haproxy_stats_access_ips: []
|
||||||
haproxy_stats_admin_ips: []
|
haproxy_stats_admin_ips: []
|
||||||
haproxy_maintenance_ips: []
|
haproxy_maintenance_ips: []
|
||||||
|
haproxy_deny_ips: []
|
||||||
|
|
||||||
haproxy_stats_enable: False
|
haproxy_stats_enable: False
|
||||||
haproxy_stats_bind: "*:8080 ssl crt /etc/haproxy/ssl/"
|
haproxy_stats_bind: "*:8080 ssl crt /etc/haproxy/ssl/"
|
||||||
|
|
|
@ -76,6 +76,16 @@
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
notify: reload haproxy
|
notify: reload haproxy
|
||||||
|
|
||||||
|
- name: HAProxy deny_ips are present
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/haproxy/deny_ips
|
||||||
|
create: yes
|
||||||
|
block: |
|
||||||
|
{% for ip in haproxy_deny_ips | default([]) %}
|
||||||
|
{{ ip }}
|
||||||
|
{% endfor %}
|
||||||
|
notify: reload haproxy
|
||||||
|
|
||||||
- include: packages_backports.yml
|
- include: packages_backports.yml
|
||||||
when: haproxy_backports
|
when: haproxy_backports
|
||||||
|
|
||||||
|
|
|
@ -70,6 +70,9 @@ listen stats
|
||||||
# # Detect Let's Encrypt challenge requests
|
# # Detect Let's Encrypt challenge requests
|
||||||
# acl letsencrypt path_dir -i /.well-known/acme-challenge
|
# acl letsencrypt path_dir -i /.well-known/acme-challenge
|
||||||
#
|
#
|
||||||
|
# # Reject the request at the TCP level if source is in the denylist
|
||||||
|
# tcp-request connection reject if { src -f /etc/haproxy/deny_ips }
|
||||||
|
#
|
||||||
# http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
# http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||||
# http-request set-header X-Forwarded-Port 443 if { ssl_fc }
|
# http-request set-header X-Forwarded-Port 443 if { ssl_fc }
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in a new issue