Dedicated port for the docker api
This commit is contained in:
parent
024c1e25c8
commit
e89461eaf3
|
@ -4,6 +4,8 @@ docker_swarm_cluster_haproxy_install: True
|
||||||
docker_swarm_haproxy_installation_type: 'global'
|
docker_swarm_haproxy_installation_type: 'global'
|
||||||
# I did not find any way to make it dependant on docker_swarm_haproxy_installation_type
|
# I did not find any way to make it dependant on docker_swarm_haproxy_installation_type
|
||||||
docker_swarm_haproxy_keepalive_installation: False
|
docker_swarm_haproxy_keepalive_installation: False
|
||||||
|
docker_swarm_haproxy_swarm_port: '{{ docker_api_port }}'
|
||||||
|
|
||||||
#
|
#
|
||||||
docker_swarm_expose_api_via_haproxy: True
|
docker_swarm_expose_api_via_haproxy: True
|
||||||
docker_swarm_expose_api_hostname: 'swarm.example.com'
|
docker_swarm_expose_api_hostname: 'swarm.example.com'
|
||||||
|
|
|
@ -84,12 +84,6 @@ frontend http
|
||||||
{% if docker_swarm_cluster_portainer_install %}
|
{% if docker_swarm_cluster_portainer_install %}
|
||||||
acl portainer_srv hdr_dom(host) -i {{ docker_swarm_portainer_hostname }}
|
acl portainer_srv hdr_dom(host) -i {{ docker_swarm_portainer_hostname }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if docker_swarm_expose_api_via_haproxy %}
|
|
||||||
acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
|
|
||||||
acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
|
|
||||||
|
|
||||||
http-request deny if swarm_api !swarm_api_allowed_nets
|
|
||||||
{% endif %}
|
|
||||||
{% for srv in docker_swarm_haproxy_additional_services %}
|
{% for srv in docker_swarm_haproxy_additional_services %}
|
||||||
acl {{ srv.acl_name }} {{ srv.acl_rule }}
|
acl {{ srv.acl_name }} {{ srv.acl_rule }}
|
||||||
{% if srv.allowed_networks is defined %}
|
{% if srv.allowed_networks is defined %}
|
||||||
|
@ -102,12 +96,48 @@ frontend http
|
||||||
{% if docker_swarm_cluster_portainer_install %}
|
{% if docker_swarm_cluster_portainer_install %}
|
||||||
use_backend portainer_bck if portainer_srv
|
use_backend portainer_bck if portainer_srv
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if docker_swarm_expose_api_via_haproxy %}
|
|
||||||
use_backend swarm_api_bck if swarm_api
|
|
||||||
{% endif %}
|
|
||||||
{% for srv in docker_swarm_haproxy_additional_services %}
|
{% for srv in docker_swarm_haproxy_additional_services %}
|
||||||
use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }}
|
use_backend {{ srv.acl_name }}_bck if {{ srv.acl_name }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
{% if docker_swarm_expose_api_via_haproxy %}
|
||||||
|
frontend docker_ft
|
||||||
|
bind :{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1 {% if docker_swarm_haproxy_installation_type == 'global' %}accept-proxy{% endif %}
|
||||||
|
|
||||||
|
mode http
|
||||||
|
acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
|
||||||
|
acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
|
||||||
|
|
||||||
|
http-request deny if swarm_api !swarm_api_allowed_nets
|
||||||
|
http-request deny unless METH_GET || { env(POST) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } { env(CONFIGS) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } { env(DISTRIBUTION) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } { env(EVENTS) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } { env(EXEC) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } { env(INFO) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } { env(NETWORKS) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } { env(NODES) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } { env(PING) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } { env(PLUGINS) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/post } { env(POST) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } { env(SECRETS) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } { env(SERVICES) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } { env(SESSION) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } { env(SWARM) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } { env(SYSTEM) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool }
|
||||||
|
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool }
|
||||||
|
http-request deny
|
||||||
|
default_backend swarm_api_bk
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Backends
|
# Backends
|
||||||
#
|
#
|
||||||
|
@ -116,8 +146,7 @@ frontend http
|
||||||
# swarm API
|
# swarm API
|
||||||
backend swarm_api_bck
|
backend swarm_api_bck
|
||||||
mode http
|
mode http
|
||||||
balance roundrobin
|
server dockersocket /var/run/docker.sock
|
||||||
server swarm 127.0.0.1:{{ docker_api_port }}
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if docker_swarm_cluster_portainer_install %}
|
{% if docker_swarm_cluster_portainer_install %}
|
||||||
|
|
Loading…
Reference in New Issue