Dustin C. Hatch
85da487cb8
I've already made a couple of mistakes keeping the HTTP and HTTPS rules in sync. Let's define the sites declaratively and derive the HAProxy rules from the data, rather then manually type the rules.
43 lines
1.3 KiB
Django/Jinja
43 lines
1.3 KiB
Django/Jinja
{% macro acls() %}
|
|
acl internal_net src {{ dch_proxy_internal_networks|join(' ') }}
|
|
acl allowlist src {{ dch_proxy_allowlist|join(' ') }}
|
|
acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
|
|
{% endmacro %}
|
|
|
|
frontend main
|
|
bind :::80
|
|
|
|
{{ acls() | indent(4) }}
|
|
tcp-request connection reject if blocklist !allowlist
|
|
|
|
{% for site in dch_proxy_sites %}
|
|
use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
|
|
{% endfor %}
|
|
use_backend kubernetes if internal_net
|
|
|
|
frontend main-tls
|
|
bind :::443
|
|
mode tcp
|
|
option tcplog
|
|
|
|
{{ acls() | indent(4) }}
|
|
tcp-request connection reject if blocklist !allowlist
|
|
tcp-request inspect-delay 5s
|
|
tcp-request content accept if { req.ssl_hello_type 1 }
|
|
|
|
{% for site in dch_proxy_sites %}
|
|
use_backend {{ site.backend }}-tls if { req.ssl_sni -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
|
|
{% endfor %}
|
|
use_backend kubernetes-tls if internal_net
|
|
|
|
{% for name, backend in dch_proxy_backends.items() %}
|
|
|
|
backend {{ name }}
|
|
{% if backend.mode|d %}
|
|
mode {{ backend.mode }}
|
|
{% endif %}
|
|
{% for server in backend.servers %}
|
|
server {{ server.name }} {{ server.host }} {{ server.options }}
|
|
{% endfor %}
|
|
{% endfor %}
|