Skip to content
Snippets Groups Projects
Commit b8f1082d authored by jurgenhaas's avatar jurgenhaas
Browse files

ansible-roles/letsencrypt#4 Only redirect or deny if not a letsencrypt challenge

parent 859b835d
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
templates/haproxy_cfg.jinja2
+ 9
9
View file @ b8f1082d
......@@ -63,15 +63,16 @@ frontend http_in
http-request deny if { {{ rule }} }
{% endfor %}
http-request set-header x-routing-host undefined
acl letsencrypt_challenge path_beg /.well-known/acme-challenge/
{% for host in groups['all'] %}
{% for redirect in hostvars[host].proxy_redirect|default([]) %}
{% for from in redirect.from %}
{% for path in redirect.paths|default([]) %}
{% if path.deny|default(false) %}
http-request deny if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
http-request deny if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
{% else %}
{% if path.regex is defined and path.from is defined %}
http-request redirect code 301 location {{ path.to|default('') }}%[capture.req.uri,regsub({{path.regex}},)] if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}} }
http-request redirect code 301 location {{ path.to|default('') }}%[capture.req.uri,regsub({{path.regex}},)] if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}} }
{% endif %}
{% endif %}
{% endfor %}
......@@ -84,12 +85,12 @@ frontend http_in
{% for path in redirect.paths|default([]) %}
{% if not path.deny|default(false) %}
{% if path.regex is not defined or path.from is not defined %}
http-request redirect code 301 location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}}{% if path.append_path|default(false) %}%[capture.req.uri]{% endif %}{% if path.append_query is defined %}?{{ path.append_query }}{% endif %} if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}}{% endif %} }
http-request redirect code 301 location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}}{% if path.append_path|default(false) %}%[capture.req.uri]{% endif %}{% if path.append_query is defined %}?{{ path.append_query }}{% endif %} if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}}{% endif %} }
{% endif %}
{% endif %}
{% endfor %}
{% if (from != redirect.to or redirect.protocol|default('https') == 'https') and redirect.paths is not defined %}
redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{ from }} }
redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if !letsencrypt_challenge { hdr(host) -i -n {{ from }} }
{% endif %}
{% endfor %}
{% endfor %}
......@@ -98,7 +99,7 @@ frontend http_in
{% for domain in drupal.domains|default([]) %}
{% if not domain.multidomain|default(false) %}
{% for alias in domain.aliases|default([]) %}
redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if !letsencrypt_challenge { hdr(host) -i -n {{alias}} }
{% endfor %}
{% endif %}
{% endfor %}
......@@ -107,20 +108,19 @@ frontend http_in
{% endfor %}
{% for host in groups['webserver'] %}
{% if hostvars[host].routing is defined %}
http-request set-header x-routing-host {{ host }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path -i -n -f /etc/haproxy/{{ host }}.path.list }
http-request set-header x-routing-host {{ host }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path -i -n -f /etc/haproxy/{{ host }}.path.list }
{% endif %}
{% endfor %}
{% for host in groups['webserver'] %}
{% if hostvars[host].routing is defined %}
{% for path in hostvars[host].routing.paths|default([]) %}
http-request set-header x-routing-host {{ host }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path_beg {{ path }} }
http-request set-header x-routing-host {{ host }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path_beg {{ path }} }
{% endfor %}
{% endif %}
{% endfor %}
{% if routing is defined and routing.default is defined %}
http-request set-header x-routing-host {{ routing.default }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ routing.domain }} }
http-request set-header x-routing-host {{ routing.default }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ routing.domain }} }
{% endif %}
acl letsencrypt_challenge path_beg /.well-known/acme-challenge/
use_backend backend_letsencrypt if letsencrypt_challenge
{% if kibana_users is defined %}
acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment