Merge pull request 'feat: haproxy updates' (#95) from neoloc/haproxy_backend_httpchk into develop

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/95

hieradata/country/au/region/syd1/infra/halb/haproxy.yaml

@@ -33,6 +33,11 @@ profiles::haproxy::frontends:
     options:
       acl:
         - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
+        - 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net'
+        - 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net'
+        - 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net'
+        - 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net'
+        - 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net'
         - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
       use_backend:
         - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -40,6 +45,11 @@ profiles::haproxy::frontends:
         - 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
       http-response:
         - 'set-header X-Frame-Options DENY if acl_ausyd1pve'
+        - 'set-header X-Frame-Options DENY if acl_sonarr'
+        - 'set-header X-Frame-Options DENY if acl_radarr'
+        - 'set-header X-Frame-Options DENY if acl_lidarr'
+        - 'set-header X-Frame-Options DENY if acl_readarr'
+        - 'set-header X-Frame-Options DENY if acl_prowlarr'
         - 'set-header X-Content-Type-Options nosniff'
         - 'set-header X-XSS-Protection 1;mode=block'
 
@@ -81,7 +91,7 @@ profiles::haproxy::backends:
     options:
       balance: roundrobin
       option:
-        - httpchk GET /
+        - httpchk GET /consul/health
         - forwardfor
         - http-keep-alive
         - prefer-last-server
@@ -97,7 +107,7 @@ profiles::haproxy::backends:
     options:
       balance: roundrobin
       option:
-        - httpchk GET /
+        - httpchk GET /consul/health
         - forwardfor
         - http-keep-alive
         - prefer-last-server
@@ -113,7 +123,7 @@ profiles::haproxy::backends:
     options:
       balance: roundrobin
       option:
-        - httpchk GET /
+        - httpchk GET /consul/health
         - forwardfor
         - http-keep-alive
         - prefer-last-server
@@ -129,7 +139,7 @@ profiles::haproxy::backends:
     options:
       balance: roundrobin
       option:
-        - httpchk GET /
+        - httpchk GET /consul/health
         - forwardfor
         - http-keep-alive
         - prefer-last-server
@@ -145,7 +155,7 @@ profiles::haproxy::backends:
     options:
       balance: roundrobin
       option:
-        - httpchk GET /
+        - httpchk GET /consul/health
         - forwardfor
         - http-keep-alive
         - prefer-last-server

hieradata/roles/apps/media.yaml

@@ -50,8 +50,8 @@ profiles::nginx::simpleproxy::locations:
     proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
     location_cfg_append:
       proxy_pass_request_body: 'off'
-  # health checks by consul
-  arrstack_web_consul:
+  # health checks by consul/haproxy
+  arrstack_web_healthcheck:
     ensure: 'present'
     server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
     ssl_only: true
@@ -69,6 +69,8 @@ profiles::nginx::simpleproxy::locations:
     location_allow:
       - 127.0.0.1
       - "%{facts.networking.ip}"
+      - 198.18.13.25
+      - 198.18.13.26
     location_deny:
       - all
   # authorised access from external