From 92658f66d3d3db61226546d8d02bfe0a4fcb2ac6 Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Tue, 30 Jan 2018 11:26:10 +0100
Subject: [PATCH] Check for letsencrypt challenge before testing redirects and
 authentication

---
 templates/haproxy_cfg.jinja2 | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/templates/haproxy_cfg.jinja2 b/templates/haproxy_cfg.jinja2
index 3dfc817..154b675 100644
--- a/templates/haproxy_cfg.jinja2
+++ b/templates/haproxy_cfg.jinja2
@@ -60,18 +60,6 @@ userlist notprivate
 frontend http_in
   bind *:80
   http-request del-header Proxy
-  http-request redirect code 301 location %[hdr(host),map(/etc/haproxy/redirect.domain.map)] if { hdr(host),map(/etc/haproxy/redirect.domain.map) -m found }
-  http-request redirect code 301 location %[capture.req.uri,map(/etc/haproxy/redirect.path.map)] if { capture.req.uri,map(/etc/haproxy/redirect.path.map) -m found }
-{% if haproxy_private is defined %}
-{% if haproxy_private.domain is defined %}
-  acl privatedomain hdr(host) -i -n -f /etc/haproxy/privatelist.domain
-{% else %}
-  acl privatedomain hdr_cnt(X_Dummy) eq 0
-{% endif %}
-  acl privateip src -f /etc/haproxy/privatelist.ip
-  acl private_auth http_auth(notprivate) if !privateip
-  http-request auth realm notprivate if privatedomain !privateip !private_auth
-{% endif %}
   acl blockedip src -f /etc/haproxy/blacklist.ip
   http-request deny if blockedip
   acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
@@ -83,6 +71,18 @@ frontend http_in
 {% endfor %}
   http-request set-header x-routing-host undefined
   acl letsencrypt_challenge path_beg /.well-known/acme-challenge/
+  http-request redirect code 301 location %[hdr(host),map(/etc/haproxy/redirect.domain.map)] if !letsencrypt_challenge { hdr(host),map(/etc/haproxy/redirect.domain.map) -m found }
+  http-request redirect code 301 location %[capture.req.uri,map(/etc/haproxy/redirect.path.map)] if !letsencrypt_challenge { capture.req.uri,map(/etc/haproxy/redirect.path.map) -m found }
+{% if haproxy_private is defined %}
+{% if haproxy_private.domain is defined %}
+  acl privatedomain hdr(host) -i -n -f /etc/haproxy/privatelist.domain
+{% else %}
+  acl privatedomain hdr_cnt(X_Dummy) eq 0
+{% endif %}
+  acl privateip src -f /etc/haproxy/privatelist.ip
+  acl private_auth http_auth(notprivate) if !privateip
+  http-request auth realm notprivate if !letsencrypt_challenge privatedomain !privateip !private_auth
+{% endif %}
 {% for host in groups['all']|sort %}
 {% for redirect in hostvars[host].proxy_redirect|default([]) %}
 {% for from in redirect.from %}
-- 
GitLab