From 991c8a302939cf81d3a5d6c732bf48c236cf6f9f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 7 Jul 2024 16:51:36 +1000 Subject: [PATCH] feat: haproxy updates - add acls for all backends - harden security of backends - update http-check for all backends --- .../au/region/syd1/infra/halb/haproxy.yaml | 20 ++++++++++++++----- hieradata/roles/apps/media.yaml | 6 ++++-- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml index 525c371..c6e3cd1 100644 --- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml @@ -33,6 +33,11 @@ profiles::haproxy::frontends: options: acl: - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net' + - 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net' + - 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net' + - 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net' + - 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net' + - 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' use_backend: - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" @@ -40,6 +45,11 @@ profiles::haproxy::frontends: - 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets' http-response: - 'set-header X-Frame-Options DENY if acl_ausyd1pve' + - 'set-header X-Frame-Options DENY if acl_sonarr' + - 'set-header X-Frame-Options DENY if acl_radarr' + - 'set-header X-Frame-Options DENY if acl_lidarr' + - 'set-header X-Frame-Options DENY if acl_readarr' + - 'set-header X-Frame-Options DENY if acl_prowlarr' - 'set-header X-Content-Type-Options nosniff' - 'set-header X-XSS-Protection 1;mode=block' @@ -81,7 +91,7 @@ profiles::haproxy::backends: options: balance: roundrobin option: - - httpchk GET / + - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server @@ -97,7 +107,7 @@ profiles::haproxy::backends: options: balance: roundrobin option: - - httpchk GET / + - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server @@ -113,7 +123,7 @@ profiles::haproxy::backends: options: balance: roundrobin option: - - httpchk GET / + - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server @@ -129,7 +139,7 @@ profiles::haproxy::backends: options: balance: roundrobin option: - - httpchk GET / + - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server @@ -145,7 +155,7 @@ profiles::haproxy::backends: options: balance: roundrobin option: - - httpchk GET / + - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server diff --git a/hieradata/roles/apps/media.yaml b/hieradata/roles/apps/media.yaml index bfebf08..a46745d 100644 --- a/hieradata/roles/apps/media.yaml +++ b/hieradata/roles/apps/media.yaml @@ -50,8 +50,8 @@ profiles::nginx::simpleproxy::locations: proxy_cache_key: '"$http_authorization$cookie_nginxauth"' location_cfg_append: proxy_pass_request_body: 'off' - # health checks by consul - arrstack_web_consul: + # health checks by consul/haproxy + arrstack_web_healthcheck: ensure: 'present' server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" ssl_only: true @@ -69,6 +69,8 @@ profiles::nginx::simpleproxy::locations: location_allow: - 127.0.0.1 - "%{facts.networking.ip}" + - 198.18.13.25 + - 198.18.13.26 location_deny: - all # authorised access from external