feat: haproxy updates
- add acls for all backends - harden security of backends - update http-check for all backends
This commit is contained in:
@@ -33,6 +33,11 @@ profiles::haproxy::frontends:
|
||||
options:
|
||||
acl:
|
||||
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
|
||||
- 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net'
|
||||
- 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net'
|
||||
- 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net'
|
||||
- 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net'
|
||||
- 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net'
|
||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||
use_backend:
|
||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||
@@ -40,6 +45,11 @@ profiles::haproxy::frontends:
|
||||
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
||||
http-response:
|
||||
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
||||
- 'set-header X-Frame-Options DENY if acl_sonarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_radarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_lidarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_readarr'
|
||||
- 'set-header X-Frame-Options DENY if acl_prowlarr'
|
||||
- 'set-header X-Content-Type-Options nosniff'
|
||||
- 'set-header X-XSS-Protection 1;mode=block'
|
||||
|
||||
@@ -81,7 +91,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
@@ -97,7 +107,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
@@ -113,7 +123,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
@@ -129,7 +139,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
@@ -145,7 +155,7 @@ profiles::haproxy::backends:
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- httpchk GET /consul/health
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
|
||||
Reference in New Issue
Block a user