From 8a7939175ee812021b3c70504f0ddbf84bdc26cc Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 20 Nov 2024 13:05:36 +0100
Subject: [PATCH] HAPROXY listen on ipv4 only by default.

---
 defaults/main.yml        |  2 ++
 templates/haproxy.cfg.j2 | 42 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4406b9c..4227ccf 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,6 +8,8 @@ docker_swarm_haproxy_accept_proxy: '{{ docker_swarm_haproxy_accept_proxy_var | b
 docker_swarm_haproxy_keepalive_installation: false
 docker_swarm_haproxy_swarm_port: '{{ docker_api_port }}'
 docker_swarm_haproxy_plain_http_api: true
+docker_swarm_haproxy_ipv4_only: true
+docker_swarm_haproxy_ipv6_only: false
 #
 docker_swarm_expose_api_via_haproxy: true
 docker_swarm_expose_api_hostname: 'swarm.example.com'
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
index e4cb26c..0e73e8e 100644
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@@ -54,7 +54,13 @@ peers mypeers
     peer local_haproxy 127.0.0.1:1024
 
 listen stats
+{% if docker_swarm_haproxy_ipv4_only %}
+    bind 0.0.0.0:{{ haproxy_admin_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1
+{% elif docker_swarm_haproxy_ipv6_only %}
+    bind :::{{ haproxy_admin_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1
+{% else %}
     bind *:{{ haproxy_admin_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1
+{% endif %}
     mode http
     http-request use-service prometheus-exporter if { path /metrics }
     option httplog
@@ -77,7 +83,13 @@ listen local_stats
 {% if docker_swarm_haproxy_plain_http_listener %}
 
 frontend http_{{ docker_swarm_haproxy_plain_http_port }}
+{% if docker_swarm_haproxy_ipv4_only %}
+    bind 0.0.0.0:{{ docker_swarm_haproxy_plain_http_port }} {% if docker_swarm_haproxy_accept_proxy %}accept-proxy{% endif %}
+{% elif docker_swarm_haproxy_ipv6_only %}
+    bind :::{{ docker_swarm_haproxy_plain_http_port }} {% if docker_swarm_haproxy_accept_proxy %}accept-proxy{% endif %}
+{% else %}
     bind *:{{ docker_swarm_haproxy_plain_http_port }} {% if docker_swarm_haproxy_accept_proxy %}accept-proxy{% endif %}
+{% endif %}
 
     mode http
     option http-keep-alive
@@ -108,10 +120,22 @@ frontend http_{{ docker_swarm_haproxy_plain_http_port }}
 {% endif %}
 
 frontend http
+{% if docker_swarm_haproxy_ipv4_only %}
+    bind 0.0.0.0:{{ https_port }} ssl crt {{ haproxy_cert_dir }}{% if docker_swarm_haproxy_http2_enabled %} alpn h2,http/1.1{% endif %}{% if docker_swarm_haproxy_accept_proxy %} accept-proxy{% endif %}
+
+    bind 0.0.0.0:{{ haproxy_default_port }} {% if docker_swarm_haproxy_accept_proxy %}accept-proxy{% endif %}
+
+{% elif docker_swarm_haproxy_ipv6_only %}
+    bind :::{{ https_port }} ssl crt {{ haproxy_cert_dir }}{% if docker_swarm_haproxy_http2_enabled %} alpn h2,http/1.1{% endif %}{% if docker_swarm_haproxy_accept_proxy %} accept-proxy{% endif %}
+
+    bind :::{{ haproxy_default_port }} {% if docker_swarm_haproxy_accept_proxy %}accept-proxy{% endif %}
+
+{% else %}
     bind *:{{ https_port }} ssl crt {{ haproxy_cert_dir }}{% if docker_swarm_haproxy_http2_enabled %} alpn h2,http/1.1{% endif %}{% if docker_swarm_haproxy_accept_proxy %} accept-proxy{% endif %}
 
     bind *:{{ haproxy_default_port }} {% if docker_swarm_haproxy_accept_proxy %}accept-proxy{% endif %}
 
+{% endif %}
     mode http
     option http-keep-alive
     option httplog
@@ -154,12 +178,26 @@ frontend http
 
 {% if docker_swarm_expose_api_via_haproxy %}
 frontend docker_ft
+{% if docker_swarm_haproxy_ipv4_only %}
 {% if docker_swarm_haproxy_plain_http_api %}
-    bind :{{ docker_swarm_haproxy_swarm_port }} {% if docker_swarm_haproxy_accept_proxy and docker_swarm_api_accept_proxy %}accept-proxy{% endif %}
+    bind 0.0.0.0:{{ docker_swarm_haproxy_swarm_port }} {% if docker_swarm_haproxy_accept_proxy and docker_swarm_api_accept_proxy %}accept-proxy{% endif %}
 {% else %}
-    bind :{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1 {% if docker_swarm_haproxy_accept_proxy and docker_swarm_api_accept_proxy %}accept-proxy{% endif %}
+    bind 0.0.0.0:{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1 {% if docker_swarm_haproxy_accept_proxy and docker_swarm_api_accept_proxy %}accept-proxy{% endif %}
 {% endif %}
 
+{% elif docker_swarm_haproxy_ipv6_only %}
+{% if docker_swarm_haproxy_plain_http_api %}
+    bind :::{{ docker_swarm_haproxy_swarm_port }} {% if docker_swarm_haproxy_accept_proxy and docker_swarm_api_accept_proxy %}accept-proxy{% endif %}
+{% else %}
+    bind :::{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1 {% if docker_swarm_haproxy_accept_proxy and docker_swarm_api_accept_proxy %}accept-proxy{% endif %}
+{% endif %}
+{% else %}
+{% if docker_swarm_haproxy_plain_http_api %}
+    bind *:{{ docker_swarm_haproxy_swarm_port }} {% if docker_swarm_haproxy_accept_proxy and docker_swarm_api_accept_proxy %}accept-proxy{% endif %}
+{% else %}
+    bind *:{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1 {% if docker_swarm_haproxy_accept_proxy and docker_swarm_api_accept_proxy %}accept-proxy{% endif %}
+{% endif %}
+{% endif %}
     mode {{ docker_swarm_api_haproxy_mode }}
     acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}