r/dch-proxy: Define sites declaratively

I've already made a couple of mistakes keeping the HTTP and HTTPS rules in sync. Let's define the sites declaratively and derive the HAProxy rules from the data, rather then manually type the rules.
2024-08-24 11:45:03 -05:00
parent 2a110d7aba
commit 85da487cb8
2 changed files with 124 additions and 81 deletions
--- a/group_vars/dch-proxy.yml
+++ b/group_vars/dch-proxy.yml
@@ -11,3 +11,106 @@ dch_proxy_blocklist:
 - 172.30.0.224/29
 - 172.30.0.232/29
 - 172.30.0.240/28
 dch_proxy_sites:
 - backend: gitea
  match: git.pyrocufflink
  matcher: dom
 - backend: bitwarden
  match: bitwarden.pyrocufflink
  matcher: dom
 - backend: nextcloud
  match: nextcloud.pyrocufflink.net
 - backend: kubernetes
  match: billing.hatchlearningcenter.org
 - backend: web
  match: chmod777.sh
  matcher: end
 - backend: web
  match: dustinandtabitha.com
  matcher: end
 - backend: web
  match: dustin.hatch.name
 - backend: web
  match: dustin.hatch.is
 - backend: web
  match: ebonfire.com
  matcher: end
 - backend: web
  match: hatchlearningcenter hlckc hlcks
  matcher: dom
 - backend: web
  match: nratonpass.com
  matcher: end
 - backend: web
  match: pyrocufflink.net
 - backend: web
  match: tabitha.biz
  matcher: end
 - backend: kubernetes
  match: ntfy.pyrocufflink.net
 - backend: kubernetes
  match: darkchestofwonders.us
 dch_proxy_backends:
  bitwarden:
    servers:
    - name: bitwarden
      host: 'bitwarden.pyrocufflink.blue:80'
      options: check
  bitwarden-tls:
    mode: tcp
    servers:
    - name: bitwarden
      host: 'bitwarden.pyrocufflink.blue:443'
      options: check
  gitea:
    servers:
    - name: gitea
      host: 'git0.pyrocufflink.blue:80'
      options: check
  gitea-tls:
    mode: tcp
    servers:
    - name: gitea
      host: 'git0.pyrocufflink.blue:443'
      options: check
  kubernetes:
    servers:
    - name: k8s
      host: 'k8s-ingress.pyrocufflink.blue:80'
      options: check
  kubernetes-tls:
    mode: tcp
    servers:
    - name: k8s
      host: 'k8s-ingress.pyrocufflink.blue:443'
      options: check
  nextcloud:
    servers:
    - name: nextcloud
      host: 'cloud0.pyrocufflink.blue:80'
      options: check
  nextcloud-tls:
    mode: tcp
    servers:
    - name: nextcloud
      # NOTE: NOT the default HTTPS port, but a different virtual host that
      # accepts the PROXY protocol
      host: 'cloud0.pyrocufflink.blue:8443'
      options: check send-proxy-v2
  web:
    servers:
    - name: web0
      host: 'web0.pyrocufflink.blue:80'
      options: check
  web-tls:
    mode: tcp
    servers:
    - name: web0
      host: 'web0.pyrocufflink.blue:443'
      options: check
--- a/roles/dch-proxy/templates/haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/haproxy.cfg.j2
@@ -1,102 +1,42 @@
-{% macro acls() +%}
+{% macro acls() %}
-    acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
+acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
-    acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
+acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
-    acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
+acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
 {% endmacro %}
 frontend main
    bind :::80
-    {{ acls() }}
+    {{ acls() | indent(4) }}
    tcp-request connection reject if blocklist !allowlist
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.blue }
+{% for site in dch_proxy_sites %}
-    use_backend gitea if { hdr(host) -i git.pyrocufflink.net }
+    use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
-    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.blue }
+{% endfor %}
    use_backend bitwarden if { hdr(host) -i bitwarden.pyrocufflink.net }
    use_backend nextcloud if { hdr(host) -i nextcloud.pyrocufflink.net }
    use_backend web if { hdr(host) -i -m end chmod777.sh }
    use_backend web if { hdr(host) -i -m end dustinandtabitha.com }
    use_backend web if { hdr(host) -i dustin.hatch.name }
    use_backend web if { hdr(host) -i dustin.hatch.is }
    use_backend web if { hdr(host) -i -m end ebonfire.com }
    use_backend web if { hdr(host) -i -m dom hatchlearningcenter }
    use_backend web if { hdr(host) -i -m dom hlckc }
    use_backend web if { hdr(host) -i -m dom hlcks }
    use_backend web if { hdr(host) -i -m end nratonpass.com }
    use_backend web if { hdr(host) -i pyrocufflink.net }
    use_backend web if { hdr(host) -i -m end tabitha.biz }
    use_backend kubernetes if { hdr(host) -i ntfy.pyrocufflink.net }
    use_backend kubernetes if { hdr(host) -i darkchestofwonders.us }
    use_backend kubernetes if internal_net
 frontend main-tls
    bind :::443
    mode tcp
    option tcplog
-    {{ acls() }}
+    {{ acls() | indent(4) }}
    tcp-request connection reject if blocklist !allowlist
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
-    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.blue }
+{% for site in dch_proxy_sites %}
-    use_backend gitea-tls if { req.ssl_sni -i git.pyrocufflink.net }
+    use_backend {{ site.backend }}-tls if { req.ssl_sni -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
-    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.blue }
+{% endfor %}
    use_backend bitwarden-tls if { req.ssl_sni -i bitwarden.pyrocufflink.net }
    use_backend nextcloud-tls if { req.ssl_sni -i nextcloud.pyrocufflink.net }
    use_backend web-tls if { req.ssl_sni -i -m end chmod777.sh }
    use_backend web-tls if { req.ssl_sni -i dustin.hatch.name }
    use_backend web-tls if { req.ssl_sni -i dustin.hatch.is }
    use_backend web-tls if { req.ssl_sni -i -m end ebonfire.com }
    use_backend web-tls if { req.ssl_sni -i -m dom hatchlearningcenter }
    use_backend web-tls if { req.ssl_sni -i -m dom hlckc }
    use_backend web-tls if { req.ssl_sni -i -m dom hlcks }
    use_backend web-tls if { req.ssl_sni -i pyrocufflink.net }
    use_backend web-tls if { req.ssl_sni -i -m end tabitha.biz }
    use_backend kubernetes-tls if { req.ssl_sni -i ntfy.pyrocufflink.net }
    use_backend kubernetes-tls if { req.ssl_sni -i darkchestofwonders.us }
    use_backend kubernetes-tls if internal_net
 {% for name, backend in dch_proxy_backends.items() %}
-backend bitwarden
+backend {{ name }}
-    server bitwarden bitwarden.pyrocufflink.blue:80 check
+{% if backend.mode|d %}
-
+    mode {{ backend.mode }}
-backend bitwarden-tls
+{% endif %}
-    mode tcp
+{% for server in backend.servers %}
-    server bitwarden bitwarden.pyrocufflink.blue:443 check
+    server {{ server.name }} {{ server.host }} {{ server.options }}
-
+{% endfor %}
-
+{% endfor %}
 backend gitea
    server gitea git0.pyrocufflink.blue:80 check
 backend gitea-tls
    mode tcp
    server gitea git0.pyrocufflink.blue:443 check
 backend kubernetes
    server k8s k8s-ingress.pyrocufflink.blue:80 check
 backend kubernetes-tls
    mode tcp
    server k8s k8s-ingress.pyrocufflink.blue:443 check
 backend nextcloud
    server nextcloud cloud0.pyrocufflink.blue:80 check
 backend nextcloud-tls
    mode tcp
    server nextcloud cloud0.pyrocufflink.blue:8443 check send-proxy-v2
 backend web
    server web0 web0.pyrocufflink.blue:80 check
 backend web-tls
    mode tcp
    server web web0.pyrocufflink.blue:443 check