From 1a3288d27e6a289d24c3f00b32a31c0709acfea9 Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Tue, 11 Aug 2015 17:29:02 +0200
Subject: [PATCH] SV-50578 Implement blacklist for haproxy
---
defaults/main.yml | 1 +
tasks/configure.yml | 9 +++++++++
templates/blacklist | 3 +++
templates/haproxy_cfg | 4 ++++
4 files changed, 17 insertions(+)
create mode 100644 templates/blacklist
diff --git a/defaults/main.yml b/defaults/main.yml
index ddb2f85..180921e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,2 +1,3 @@
default_proxy: ''
proxy_default_backend: ''
+proxy_blacklist_ips: []
diff --git a/tasks/configure.yml b/tasks/configure.yml
index cb46641..774c2b7 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -67,3 +67,12 @@
hour='*'
minute='*/1'
job='/etc/haproxy/update/update.sh >/dev/null 2>&1'
+
+- name: "Proxy | Update blacklist"
+ template: src=blacklist
+ dest=/etc/haproxy/blacklist
+ owner=root
+ group=root
+ mode=644
+ when: scope == 'all'
+ notify: 'Proxy | Restart HAProxy'
diff --git a/templates/blacklist b/templates/blacklist
new file mode 100644
index 0000000..ef4547e
--- /dev/null
+++ b/templates/blacklist
@@ -0,0 +1,3 @@
+{% for line in hostvars[item]['proxy_blacklist_ips'] %}
+{{line}}
+{% endfor %}
diff --git a/templates/haproxy_cfg b/templates/haproxy_cfg
index 2e045f7..2bad328 100644
--- a/templates/haproxy_cfg
+++ b/templates/haproxy_cfg
@@ -43,6 +43,8 @@ listen stats 127.0.0.1:7000
frontend http-in
bind *:80
+ acl blockedip src -i -f /etc/haproxy/blacklist
+ http-request deny if blockedip
{% for host in groups['all'] %}
{% if hostvars[host]['proxy_redirect'] %}
{% for redirect in hostvars[host]['proxy_redirect'] %}
@@ -67,6 +69,8 @@ frontend http-in
frontend https-in
bind :443 ssl crt /etc/haproxy/certs/s-verein.de.pem no-sslv3
+ acl blockedip src -i -f /etc/haproxy/blacklist
+ http-request deny if blockedip
{% for host in groups['all'] %}
{% if hostvars[host]['proxy_redirect'] %}
{% for redirect in hostvars[host]['proxy_redirect'] %}
--
GitLab