ACL for the haproxy entry points

defaults/main.yml

@@ -7,6 +7,8 @@ docker_swarm_haproxy_networks:
 #
 docker_swarm_expose_api_via_haproxy: True
 docker_swarm_expose_api_hostname: 'swarm.example.com'
+docker_swarm_api_networks_acl:
+  - '127.0.0.1/8'
 # Portainer
 docker_swarm_cluster_portainer_install: True
 docker_swarm_portainer_hostname: 'portainer-swarm.example.com'
@@ -17,8 +19,9 @@ docker_swarm_portainer_network: 'agent_network'
 docker_swarm_portainer_http_port: '9000'
 docker_swarm_portainer_service_port: '8000'
 
+# The allowed_networks parameter is optional
 docker_swarm_haproxy_additional_services: []
-#  - { acl_name: 'service', acl_rule: 'hdr_dom(host) -i service.example.com', service_name: 'service-', service_replica_num: '1', service_port: '9999', service_overlay_network: 'service-network' }
+#  - { acl_name: 'service', acl_rule: 'hdr_dom(host) -i service.example.com', service_name: 'service-', service_replica_num: '1', service_port: '9999', service_overlay_network: 'service-network', allowed_networks: '192.168.1.0/24 192.168.2.0/24' }
 
 docker_swarm_keepalived_vrouter_id: 205
 docker_swarm_keepalived_floating_ip: '127.0.0.1/8'

templates/haproxy.cfg.j2

@@ -82,10 +82,16 @@ frontend http
 {% endif %}
 {% if docker_swarm_expose_api_via_haproxy %}
     acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
+    acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
+    http-request deny if swarm_api !swarm_api_allowed_nets
     use_backend swarm_api_bck if swarm_api
 {% endif %}
 {% for srv in docker_swarm_haproxy_additional_services %}
     acl {{ srv.acl_name }} {{ srv.acl_rule }}
+{% if srv.allowed_networks is defined %}
+    acl {{ srv.acl_name }}_nets src {% for net in srv.allowed_networks %} {{ net }}{% endfor %}
+    http-request deny if {{ srv.acl_name }} !{{ srv.acl_name }}_nets
+{% endif %}
     use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }}
 {% endfor %}