From e89461eaf399d3e834996e8e75929d2d574b804f Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 7 Oct 2020 18:36:28 +0200
Subject: [PATCH] Dedicated port for the docker api

---
 defaults/main.yml        |  2 ++
 templates/haproxy.cfg.j2 | 51 +++++++++++++++++++++++++++++++---------
 2 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 61dc8b0..f4ee7db 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,6 +4,8 @@ docker_swarm_cluster_haproxy_install: True
 docker_swarm_haproxy_installation_type: 'global'
 # I did not find any way to make it dependant on docker_swarm_haproxy_installation_type
 docker_swarm_haproxy_keepalive_installation: False
+docker_swarm_haproxy_swarm_port: '{{ docker_api_port }}'
+
 #
 docker_swarm_expose_api_via_haproxy: True
 docker_swarm_expose_api_hostname: 'swarm.example.com'
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
index 4da5f06..bc5d1ba 100644
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@@ -84,12 +84,6 @@ frontend http
 {% if docker_swarm_cluster_portainer_install %}
     acl portainer_srv hdr_dom(host) -i {{ docker_swarm_portainer_hostname }}
 {% endif %}
-{% if docker_swarm_expose_api_via_haproxy %}
-    acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
-    acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
-
-    http-request deny if swarm_api !swarm_api_allowed_nets
-{% endif %}
 {% for srv in docker_swarm_haproxy_additional_services %}
     acl {{ srv.acl_name }} {{ srv.acl_rule }}
 {% if srv.allowed_networks is defined %}
@@ -102,12 +96,48 @@ frontend http
 {% if docker_swarm_cluster_portainer_install %}
     use_backend portainer_bck if portainer_srv
 {% endif %}
-{% if docker_swarm_expose_api_via_haproxy %}
-    use_backend swarm_api_bck if swarm_api
-{% endif %}
 {% for srv in docker_swarm_haproxy_additional_services %}
     use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }}
 {% endfor %}
+
+{% if docker_swarm_expose_api_via_haproxy %}
+frontend docker_ft
+    bind :{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1  {% if docker_swarm_haproxy_installation_type == 'global' %}accept-proxy{% endif %}
+
+    mode http
+    acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
+    acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
+
+    http-request deny if swarm_api !swarm_api_allowed_nets
+    http-request deny unless METH_GET || { env(POST) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } { env(CONFIGS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } { env(DISTRIBUTION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } { env(EVENTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } { env(EXEC) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } { env(INFO) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } { env(NETWORKS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } { env(NODES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } { env(PING) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } { env(PLUGINS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/post } { env(POST) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } { env(SECRETS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } { env(SERVICES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } { env(SESSION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } { env(SWARM) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } { env(SYSTEM) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool }
+    http-request deny
+    default_backend swarm_api_bk
+{% endif %}
+
 #
 # Backends
 #
@@ -116,8 +146,7 @@ frontend http
 # swarm API
 backend swarm_api_bck
     mode http
-    balance roundrobin
-    server swarm 127.0.0.1:{{ docker_api_port }}
+    server dockersocket /var/run/docker.sock
 {% endif %}
 
 {% if docker_swarm_cluster_portainer_install %}