From c0e9ed1a28a085181953382ba5a575e0b95a32e1 Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Tue, 16 Jan 2018 12:51:26 +0100
Subject: [PATCH] New option to require http auth for all requests if not from
 a private IP

---
 tasks/configure.yml             | 10 ++++++++++
 templates/haproxy_cfg.jinja2    | 17 +++++++++++++++++
 templates/privatelist.ip.jinja2 |  3 +++
 3 files changed, 30 insertions(+)
 create mode 100644 templates/privatelist.ip.jinja2

diff --git a/tasks/configure.yml b/tasks/configure.yml
index 730eefa..6684588 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -85,6 +85,16 @@
     - 'blacklist.agent'
   notify: "Check HAProxy Config"
 
+- name: "Update private ips"
+  template:
+    src='privatelist.ip.jinja2'
+    dest='/etc/haproxy/privatelist.ip'
+    owner='root'
+    group='root'
+    mode='644'
+  when: haproxy_private is defined
+  notify: "Check HAProxy Config"
+
 - name: "Create config file"
   template:
     src='haproxy_cfg.jinja2'
diff --git a/templates/haproxy_cfg.jinja2 b/templates/haproxy_cfg.jinja2
index c06c377..97fe6b1 100644
--- a/templates/haproxy_cfg.jinja2
+++ b/templates/haproxy_cfg.jinja2
@@ -49,10 +49,22 @@ userlist kibana
   user {{ user.username }} insecure-password '{{ user.password }}'
 {% endfor %}
 {% endif %}
+{% if haproxy_private is defined %}
+
+userlist notprivate
+{% for user in haproxy_private.auth %}
+  user {{ user.username }} insecure-password '{{ user.password }}'
+{% endfor %}
+{% endif %}
 
 frontend http_in
   bind *:80
   http-request del-header Proxy
+{% if haproxy_private is defined %}
+  acl privateip src -f /etc/haproxy/privatelist.ip
+  acl private_auth http_auth(notprivate) if !privateip
+  http-request auth realm notprivate if !privateip !private_auth
+{% endif %}
   acl blockedip src -f /etc/haproxy/blacklist.ip
   http-request deny if blockedip
   acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
@@ -170,6 +182,11 @@ frontend http_in
 frontend https_in_{{ cert.ip }}
   bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
   http-request del-header Proxy
+{% if haproxy_private is defined %}
+  acl privateip src -f /etc/haproxy/privatelist.ip
+  acl private_auth http_auth(notprivate) if !privateip
+  http-request auth realm notprivate if !privateip !private_auth
+{% endif %}
   acl blockedip src -f /etc/haproxy/blacklist.ip
   http-request deny if blockedip
   acl blockedreferer hdr_sub(referer) -i -f /etc/haproxy/blacklist.referer
diff --git a/templates/privatelist.ip.jinja2 b/templates/privatelist.ip.jinja2
new file mode 100644
index 0000000..32be90d
--- /dev/null
+++ b/templates/privatelist.ip.jinja2
@@ -0,0 +1,3 @@
+{% for ip in haproxy_private.ip %}
+{{ ip }}
+{% endfor %}
-- 
GitLab