From 4809be211ba890e594e0d3e451ef6695a72a0246 Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Fri, 26 Jan 2018 13:38:11 +0100
Subject: [PATCH] Allow haproxy_private to be limited to certain domains only

---
 tasks/configure.yml                 | 10 ++++++++++
 templates/haproxy_cfg.jinja2        | 14 ++++++++++++--
 templates/privatelist.domain.jinja2 |  3 +++
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 templates/privatelist.domain.jinja2

diff --git a/tasks/configure.yml b/tasks/configure.yml
index 6684588..9d62797 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -95,6 +95,16 @@
   when: haproxy_private is defined
   notify: "Check HAProxy Config"
 
+- name: "Update private domains"
+  template:
+    src='privatelist.domain.jinja2'
+    dest='/etc/haproxy/privatelist.domain'
+    owner='root'
+    group='root'
+    mode='644'
+  when: haproxy_private is defined and haproxy_private.domain
+  notify: "Check HAProxy Config"
+
 - name: "Create config file"
   template:
     src='haproxy_cfg.jinja2'
diff --git a/templates/haproxy_cfg.jinja2 b/templates/haproxy_cfg.jinja2
index ec28b99..c252b7b 100644
--- a/templates/haproxy_cfg.jinja2
+++ b/templates/haproxy_cfg.jinja2
@@ -61,9 +61,14 @@ frontend http_in
   bind *:80
   http-request del-header Proxy
 {% if haproxy_private is defined %}
+{% if haproxy_private.domain is defined %}
+  acl privatedomain hdr(host) -i -n -f /etc/haproxy/privatelist.domain
+{% else %}
+  acl privatedomain if true
+{% endif %}
   acl privateip src -f /etc/haproxy/privatelist.ip
   acl private_auth http_auth(notprivate) if !privateip
-  http-request auth realm notprivate if !privateip !private_auth
+  http-request auth realm notprivate if privatedomain !privateip !private_auth
 {% endif %}
   acl blockedip src -f /etc/haproxy/blacklist.ip
   http-request deny if blockedip
@@ -183,9 +188,14 @@ frontend https_in_{{ cert.ip }}
   bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
   http-request del-header Proxy
 {% if haproxy_private is defined %}
+{% if haproxy_private.domain is defined %}
+  acl privatedomain hdr(host) -i -n -f /etc/haproxy/privatelist.domain
+{% else %}
+  acl privatedomain if true
+{% endif %}
   acl privateip src -f /etc/haproxy/privatelist.ip
   acl private_auth http_auth(notprivate) if !privateip
-  http-request auth realm notprivate if !privateip !private_auth
+  http-request auth realm notprivate if privatedomain !privateip !private_auth
 {% endif %}
   acl blockedip src -f /etc/haproxy/blacklist.ip
   http-request deny if blockedip
diff --git a/templates/privatelist.domain.jinja2 b/templates/privatelist.domain.jinja2
new file mode 100644
index 0000000..462cd06
--- /dev/null
+++ b/templates/privatelist.domain.jinja2
@@ -0,0 +1,3 @@
+{% for domain in haproxy_private.domain %}
+{{ domain }}
+{% endfor %}
-- 
GitLab