forked from evolix/ansible-roles
haproxy: possible admin access with login/pass
This commit is contained in:
parent
92b7ce0acd
commit
1f4079b1b3
|
@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
* apache: new variables for logrotate + server-status
|
* apache: new variables for logrotate + server-status
|
||||||
* filebeat: package can be upgraded to latest (default: False)
|
* filebeat: package can be upgraded to latest (default: False)
|
||||||
|
* haproxy: possible admin access with login/pass
|
||||||
* metricbeat: package can be upgraded to latest (default: False)
|
* metricbeat: package can be upgraded to latest (default: False)
|
||||||
* nagios-nrpe: new script check_phpfpm_multi
|
* nagios-nrpe: new script check_phpfpm_multi
|
||||||
* nginx: add access to server status on default VHost
|
* nginx: add access to server status on default VHost
|
||||||
|
|
|
@ -18,6 +18,10 @@ haproxy_chroot: /var/lib/haproxy
|
||||||
|
|
||||||
haproxy_stats_access_ips: []
|
haproxy_stats_access_ips: []
|
||||||
haproxy_stats_admin_ips: []
|
haproxy_stats_admin_ips: []
|
||||||
|
haproxy_stats_users: []
|
||||||
|
## use crypt(8) password encryption
|
||||||
|
# haproxy_stats_users:
|
||||||
|
# - { login: "", password: "" }
|
||||||
haproxy_maintenance_ips: []
|
haproxy_maintenance_ips: []
|
||||||
haproxy_deny_ips: []
|
haproxy_deny_ips: []
|
||||||
|
|
||||||
|
|
|
@ -35,18 +35,34 @@ defaults
|
||||||
errorfile 504 /etc/haproxy/errors/504.http
|
errorfile 504 /etc/haproxy/errors/504.http
|
||||||
|
|
||||||
{% if haproxy_stats_enable %}
|
{% if haproxy_stats_enable %}
|
||||||
|
{% if haproxy_stats_users %}
|
||||||
|
userlist stats_users
|
||||||
|
{% for user in haproxy_stats_users | default([]) %}
|
||||||
|
user {{ user.login }} password {{ user.password }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
listen stats
|
listen stats
|
||||||
mode http
|
mode http
|
||||||
bind {{ haproxy_stats_bind_directive }}
|
bind {{ haproxy_stats_bind_directive }}
|
||||||
|
|
||||||
|
acl stats_access_ips src -f /etc/haproxy/stats_access_ips
|
||||||
|
acl stats_admin_ips src -f /etc/haproxy/stats_admin_ips
|
||||||
|
|
||||||
stats enable
|
stats enable
|
||||||
stats refresh 10s
|
stats refresh 10s
|
||||||
stats uri {{ haproxy_stats_path }}
|
stats uri {{ haproxy_stats_path }}
|
||||||
stats show-legends
|
stats show-legends
|
||||||
stats show-node
|
stats show-node
|
||||||
stats admin if { src -f /etc/haproxy/stats_admin_ips }
|
stats admin if stats_admin_ips
|
||||||
|
|
||||||
|
{% if haproxy_stats_users %}
|
||||||
|
acl stats_users http_auth(stats_users)
|
||||||
|
stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
|
||||||
|
{% else %}
|
||||||
|
stats http-request deny if !stats_access_ips
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
http-request deny if !{ src -f /etc/haproxy/stats_access_ips }
|
|
||||||
http-request set-log-level silent
|
http-request set-log-level silent
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue