From 3f73df2bd682e7922a91b774210532241acdc18e Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 1 Oct 2020 18:28:54 +0200 Subject: [PATCH] Do not create the portainer network. Fix the haproxy configuration --- defaults/main.yml | 1 + tasks/haproxy_networks.yml | 14 +++++++++++--- templates/haproxy.cfg.j2 | 9 +++++++-- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 44b6f6f..4be05b2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,6 +4,7 @@ docker_swarm_cluster_haproxy_install: True docker_swarm_haproxy_installation_type: 'keepalive' docker_swarm_haproxy_networks: - 'portainer_{{ docker_swarm_portainer_network }}' +docker_swarm_haproxy_additional_networks: [] # docker_swarm_expose_api_via_haproxy: True docker_swarm_expose_api_hostname: 'swarm.example.com' diff --git a/tasks/haproxy_networks.yml b/tasks/haproxy_networks.yml index 817ffd1..6fafd80 100644 --- a/tasks/haproxy_networks.yml +++ b/tasks/haproxy_networks.yml @@ -1,12 +1,12 @@ --- -- name: Create the networks that haproxy will attach to +- name: Create the networks that haproxy will attach to and that are not created by the services block: - - name: Create the overlay networks + - name: Create the overlay networks that are not created by the services docker_network: name: '{{ item }}' driver: overlay scope: swarm - with_items: '{{ docker_swarm_haproxy_networks }}' + with_items: '{{ docker_swarm_haproxy_additional_networks }}' # - name: Connect haproxy to the overlay networks # docker_network: @@ -16,5 +16,13 @@ # appends: yes # with_items: '{{ docker_swarm_haproxy_networks }}' +# - name: Connect haproxy to the overlay additional networks +# docker_network: +# name: '{{ item }}' +# connected: +# - 'haproxy_haproxy' +# appends: yes +# with_items: '{{ docker_swarm_haproxy_additional_networks }}' + when: docker_swarm_manager_main_node | bool tags: [ 'haproxy', 'docker_haproxy', 'docker_swarm', 'docker', 'docker_network' ] diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 index 5fca054..d32bb94 100644 --- a/templates/haproxy.cfg.j2 +++ b/templates/haproxy.cfg.j2 @@ -83,6 +83,7 @@ frontend http {% if docker_swarm_expose_api_via_haproxy %} acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }} acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %} + http-request deny if swarm_api !swarm_api_allowed_nets use_backend swarm_api_bck if swarm_api {% endif %} @@ -90,6 +91,7 @@ frontend http acl {{ srv.acl_name }} {{ srv.acl_rule }} {% if srv.allowed_networks is defined %} acl {{ srv.acl_name }}_nets src {% for net in srv.allowed_networks %} {{ net }}{% endfor %} + http-request deny if {{ srv.acl_name }} !{{ srv.acl_name }}_nets {% endif %} use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }} @@ -108,14 +110,17 @@ backend swarm_api_bck {% if docker_swarm_cluster_portainer_install %} backend portainer_bck - option httpchk GET / HTTP/1.1\r\nHost:\ localhost + option httpchk + http-check send meth HEAD uri / ver HTTP/1.1 hdr Host localhost http-check expect rstatus (2|3)[0-9][0-9] balance roundrobin server-template portainer- 1 portainer:{{ docker_swarm_portainer_http_port }} check resolvers docker init-addr libc,none {% endif %} {% for srv in docker_swarm_haproxy_additional_services %} - option httpchk GET / HTTP/1.1\r\nHost:\ localhost +backend {{ srv.acl_name }}_bck + option httpchk + http-check send meth HEAD uri / ver HTTP/1.1 hdr Host localhost http-check expect rstatus (2|3)[0-9][0-9] balance roundrobin server-template {{ srv.service_name }}- {{ srv.service_replica_num }} {{ srv.service_name }}:{{ srv.service_port }} check resolvers docker init-addr libc,none