ACL for the haproxy entry points

This commit is contained in:
Andrea Dell'Amico 2020-10-01 15:42:47 +02:00
parent d34b9f512f
commit 88ad67058d
2 changed files with 10 additions and 1 deletions

View File

@ -7,6 +7,8 @@ docker_swarm_haproxy_networks:
# #
docker_swarm_expose_api_via_haproxy: True docker_swarm_expose_api_via_haproxy: True
docker_swarm_expose_api_hostname: 'swarm.example.com' docker_swarm_expose_api_hostname: 'swarm.example.com'
docker_swarm_api_networks_acl:
- '127.0.0.1/8'
# Portainer # Portainer
docker_swarm_cluster_portainer_install: True docker_swarm_cluster_portainer_install: True
docker_swarm_portainer_hostname: 'portainer-swarm.example.com' docker_swarm_portainer_hostname: 'portainer-swarm.example.com'
@ -17,8 +19,9 @@ docker_swarm_portainer_network: 'agent_network'
docker_swarm_portainer_http_port: '9000' docker_swarm_portainer_http_port: '9000'
docker_swarm_portainer_service_port: '8000' docker_swarm_portainer_service_port: '8000'
# The allowed_networks parameter is optional
docker_swarm_haproxy_additional_services: [] docker_swarm_haproxy_additional_services: []
# - { acl_name: 'service', acl_rule: 'hdr_dom(host) -i service.example.com', service_name: 'service-', service_replica_num: '1', service_port: '9999', service_overlay_network: 'service-network' } # - { acl_name: 'service', acl_rule: 'hdr_dom(host) -i service.example.com', service_name: 'service-', service_replica_num: '1', service_port: '9999', service_overlay_network: 'service-network', allowed_networks: '192.168.1.0/24 192.168.2.0/24' }
docker_swarm_keepalived_vrouter_id: 205 docker_swarm_keepalived_vrouter_id: 205
docker_swarm_keepalived_floating_ip: '127.0.0.1/8' docker_swarm_keepalived_floating_ip: '127.0.0.1/8'

View File

@ -82,10 +82,16 @@ frontend http
{% endif %} {% endif %}
{% if docker_swarm_expose_api_via_haproxy %} {% if docker_swarm_expose_api_via_haproxy %}
acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }} acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
http-request deny if swarm_api !swarm_api_allowed_nets
use_backend swarm_api_bck if swarm_api use_backend swarm_api_bck if swarm_api
{% endif %} {% endif %}
{% for srv in docker_swarm_haproxy_additional_services %} {% for srv in docker_swarm_haproxy_additional_services %}
acl {{ srv.acl_name }} {{ srv.acl_rule }} acl {{ srv.acl_name }} {{ srv.acl_rule }}
{% if srv.allowed_networks is defined %}
acl {{ srv.acl_name }}_nets src {% for net in srv.allowed_networks %} {{ net }}{% endfor %}
http-request deny if {{ srv.acl_name }} !{{ srv.acl_name }}_nets
{% endif %}
use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }} use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }}
{% endfor %} {% endfor %}