r/dch-proxy: Define sites declaratively

I've already made a couple of mistakes keeping the HTTP and HTTPS rules in sync. Let's define the sites declaratively and derive the HAProxy rules from the data, rather then manually type the rules.
2024-08-24 11:45:03 -05:00
parent 2a110d7aba
commit 85da487cb8
2 changed files with 124 additions and 81 deletions
--- a/roles/dch-proxy/templates/haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/haproxy.cfg.j2
@@ -1,102 +1,42 @@
-{% macro acls() +%}
-    acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
-    acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
-    acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
+{% macro acls() %}
+acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
+acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
+acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
 {% endmacro %}

 frontend main
    bind :::80

-    {{ acls() }}
-
+    {{ acls() | indent(4) }}
    tcp-request connection reject if blocklist !allowlist

-    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
-    use_backend web if { hdr(host) -i -m end chmod777.sh }
-    use_backend web if { hdr(host) -i -m end dustinandtabitha.com }
-    use_backend web if { hdr(host) -i dustin.hatch.name }
-    use_backend web if { hdr(host) -i dustin.hatch.is }
-    use_backend web if { hdr(host) -i -m end ebonfire.com }
-    use_backend web if { hdr(host) -i -m dom hatchlearningcenter }
-    use_backend web if { hdr(host) -i -m dom hlckc }
-    use_backend web if { hdr(host) -i -m dom hlcks }
-    use_backend web if { hdr(host) -i -m end nratonpass.com }
-    use_backend web if { hdr(host) -i pyrocufflink.net }
-    use_backend web if { hdr(host) -i -m end tabitha.biz }
-    use_backend kubernetes if { hdr(host) -i ntfy.pyrocufflink.net }
-    use_backend kubernetes if { hdr(host) -i darkchestofwonders.us }
+{% for site in dch_proxy_sites %}
+    use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
+{% endfor %}
    use_backend kubernetes if internal_net

-
 frontend main-tls
    bind :::443
    mode tcp
    option tcplog

-    {{ acls() }}
-
+    {{ acls() | indent(4) }}
    tcp-request connection reject if blocklist !allowlist
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

-    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.blue }
-    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.net }
-    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.blue }
-    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.net }
-    use_backend nextcloud-tls if { req.ssl_sni -i nextcloud.pyrocufflink.net }
-    use_backend web-tls if { req.ssl_sni -i -m end chmod777.sh }
-    use_backend web-tls if { req.ssl_sni -i dustin.hatch.name }
-    use_backend web-tls if { req.ssl_sni -i dustin.hatch.is }
-    use_backend web-tls if { req.ssl_sni -i -m end ebonfire.com }
-    use_backend web-tls if { req.ssl_sni -i -m dom hatchlearningcenter }
-    use_backend web-tls if { req.ssl_sni -i -m dom hlckc }
-    use_backend web-tls if { req.ssl_sni -i -m dom hlcks }
-    use_backend web-tls if { req.ssl_sni -i pyrocufflink.net }
-    use_backend web-tls if { req.ssl_sni -i -m end tabitha.biz }
-    use_backend kubernetes-tls if { req.ssl_sni -i ntfy.pyrocufflink.net }
-    use_backend kubernetes-tls if { req.ssl_sni -i darkchestofwonders.us }
+{% for site in dch_proxy_sites %}
+    use_backend {{ site.backend }}-tls if { req.ssl_sni -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
+{% endfor %}
    use_backend kubernetes-tls if internal_net

+{% for name, backend in dch_proxy_backends.items() %}

-backend bitwarden
-    server bitwarden bitwarden.pyrocufflink.blue:80 check
-
-backend bitwarden-tls
-    mode tcp
-    server bitwarden bitwarden.pyrocufflink.blue:443 check
-
-
-backend gitea
-    server gitea git0.pyrocufflink.blue:80 check
-
-backend gitea-tls
-    mode tcp
-    server gitea git0.pyrocufflink.blue:443 check
-
-
-backend kubernetes
-    server k8s k8s-ingress.pyrocufflink.blue:80 check
-
-backend kubernetes-tls
-    mode tcp
-    server k8s k8s-ingress.pyrocufflink.blue:443 check
-
-
-backend nextcloud
-    server nextcloud cloud0.pyrocufflink.blue:80 check
-
-backend nextcloud-tls
-    mode tcp
-    server nextcloud cloud0.pyrocufflink.blue:8443 check send-proxy-v2
-
-
-backend web
-    server web0 web0.pyrocufflink.blue:80 check
-
-backend web-tls
-    mode tcp
-    server web web0.pyrocufflink.blue:443 check
+backend {{ name }}
+{% if backend.mode|d %}
+    mode {{ backend.mode }}
+{% endif %}
+{% for server in backend.servers %}
+    server {{ server.name }} {{ server.host }} {{ server.options }}
+{% endfor %}
+{% endfor %}