Dedicated port for the docker api

This commit is contained in:
Andrea Dell'Amico 2020-10-07 18:36:28 +02:00
parent 024c1e25c8
commit e89461eaf3
2 changed files with 42 additions and 11 deletions

View File

@ -4,6 +4,8 @@ docker_swarm_cluster_haproxy_install: True
docker_swarm_haproxy_installation_type: 'global' docker_swarm_haproxy_installation_type: 'global'
# I did not find any way to make it dependant on docker_swarm_haproxy_installation_type # I did not find any way to make it dependant on docker_swarm_haproxy_installation_type
docker_swarm_haproxy_keepalive_installation: False docker_swarm_haproxy_keepalive_installation: False
docker_swarm_haproxy_swarm_port: '{{ docker_api_port }}'
# #
docker_swarm_expose_api_via_haproxy: True docker_swarm_expose_api_via_haproxy: True
docker_swarm_expose_api_hostname: 'swarm.example.com' docker_swarm_expose_api_hostname: 'swarm.example.com'

View File

@ -84,12 +84,6 @@ frontend http
{% if docker_swarm_cluster_portainer_install %} {% if docker_swarm_cluster_portainer_install %}
acl portainer_srv hdr_dom(host) -i {{ docker_swarm_portainer_hostname }} acl portainer_srv hdr_dom(host) -i {{ docker_swarm_portainer_hostname }}
{% endif %} {% endif %}
{% if docker_swarm_expose_api_via_haproxy %}
acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
http-request deny if swarm_api !swarm_api_allowed_nets
{% endif %}
{% for srv in docker_swarm_haproxy_additional_services %} {% for srv in docker_swarm_haproxy_additional_services %}
acl {{ srv.acl_name }} {{ srv.acl_rule }} acl {{ srv.acl_name }} {{ srv.acl_rule }}
{% if srv.allowed_networks is defined %} {% if srv.allowed_networks is defined %}
@ -102,12 +96,48 @@ frontend http
{% if docker_swarm_cluster_portainer_install %} {% if docker_swarm_cluster_portainer_install %}
use_backend portainer_bck if portainer_srv use_backend portainer_bck if portainer_srv
{% endif %} {% endif %}
{% if docker_swarm_expose_api_via_haproxy %}
use_backend swarm_api_bck if swarm_api
{% endif %}
{% for srv in docker_swarm_haproxy_additional_services %} {% for srv in docker_swarm_haproxy_additional_services %}
use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }} use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }}
{% endfor %} {% endfor %}
{% if docker_swarm_expose_api_via_haproxy %}
frontend docker_ft
bind :{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1 {% if docker_swarm_haproxy_installation_type == 'global' %}accept-proxy{% endif %}
mode http
acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
http-request deny if swarm_api !swarm_api_allowed_nets
http-request deny unless METH_GET || { env(POST) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } { env(CONFIGS) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } { env(DISTRIBUTION) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } { env(EVENTS) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } { env(EXEC) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } { env(INFO) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } { env(NETWORKS) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } { env(NODES) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } { env(PING) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } { env(PLUGINS) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/post } { env(POST) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } { env(SECRETS) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } { env(SERVICES) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } { env(SESSION) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } { env(SWARM) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } { env(SYSTEM) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool }
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool }
http-request deny
default_backend swarm_api_bk
{% endif %}
# #
# Backends # Backends
# #
@ -116,8 +146,7 @@ frontend http
# swarm API # swarm API
backend swarm_api_bck backend swarm_api_bck
mode http mode http
balance roundrobin server dockersocket /var/run/docker.sock
server swarm 127.0.0.1:{{ docker_api_port }}
{% endif %} {% endif %}
{% if docker_swarm_cluster_portainer_install %} {% if docker_swarm_cluster_portainer_install %}