From b8f1082d7258f322ef1e3f71c4878cb6e2bb4589 Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Fri, 17 Mar 2017 13:54:44 +0100
Subject: [PATCH] ansible-roles/letsencrypt#4 Only redirect or deny if not a
 letsencrypt challenge

---
 templates/haproxy_cfg.jinja2 | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/templates/haproxy_cfg.jinja2 b/templates/haproxy_cfg.jinja2
index c141b99..0bf23f8 100644
--- a/templates/haproxy_cfg.jinja2
+++ b/templates/haproxy_cfg.jinja2
@@ -63,15 +63,16 @@ frontend http_in
   http-request deny if { {{ rule }} }
 {% endfor %}
   http-request set-header x-routing-host undefined
+  acl letsencrypt_challenge path_beg /.well-known/acme-challenge/
 {% for host in groups['all'] %}
 {% for redirect in hostvars[host].proxy_redirect|default([]) %}
 {% for from in redirect.from %}
 {% for path in redirect.paths|default([]) %}
 {% if path.deny|default(false) %}
-  http-request deny if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
+  http-request deny if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path','path_beg')}} /{{path.from}}{% endif %} }
 {% else %}
 {% if path.regex is defined and path.from is defined %}
-  http-request redirect code 301 location {{ path.to|default('') }}%[capture.req.uri,regsub({{path.regex}},)] if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}} }
+  http-request redirect code 301 location {{ path.to|default('') }}%[capture.req.uri,regsub({{path.regex}},)] if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}} }
 {% endif %}
 {% endif %}
 {% endfor %}
@@ -84,12 +85,12 @@ frontend http_in
 {% for path in redirect.paths|default([]) %}
 {% if not path.deny|default(false) %}
 {% if path.regex is not defined or path.from is not defined %}
-    http-request redirect code 301 location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}}{% if path.append_path|default(false) %}%[capture.req.uri]{% endif %}{% if path.append_query is defined %}?{{ path.append_query }}{% endif %} if { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}}{% endif %} }
+    http-request redirect code 301 location {{ redirect.protocol|default('https') }}://{{redirect.to}}/{{path.to|default('')}}{% if path.append_path|default(false) %}%[capture.req.uri]{% endif %}{% if path.append_query is defined %}?{{ path.append_query }}{% endif %} if !letsencrypt_challenge { {{ (from == ".") | ternary('hdr_sub', 'hdr') }}(host) -i -n {{ from }}{% if path.from is defined %} } { {{path.exact|default(false)|ternary('path /','path_reg ^/')}}{{path.from}}{% endif %} }
 {% endif %}
 {% endif %}
 {% endfor %}
 {% if (from != redirect.to or redirect.protocol|default('https') == 'https') and redirect.paths is not defined %}
-  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{ from }} }
+  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if !letsencrypt_challenge { hdr(host) -i -n {{ from }} }
 {% endif %}
 {% endfor %}
 {% endfor %}
@@ -98,7 +99,7 @@ frontend http_in
 {% for domain in drupal.domains|default([]) %}
 {% if not domain.multidomain|default(false) %}
 {% for alias in domain.aliases|default([]) %}
-  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
+  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if !letsencrypt_challenge { hdr(host) -i -n {{alias}} }
 {% endfor %}
 {% endif %}
 {% endfor %}
@@ -107,20 +108,19 @@ frontend http_in
 {% endfor %}
 {% for host in groups['webserver'] %}
 {% if hostvars[host].routing is defined %}
-  http-request set-header x-routing-host {{ host }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path -i -n -f /etc/haproxy/{{ host }}.path.list }
+  http-request set-header x-routing-host {{ host }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path -i -n -f /etc/haproxy/{{ host }}.path.list }
 {% endif %}
 {% endfor %}
 {% for host in groups['webserver'] %}
 {% if hostvars[host].routing is defined %}
 {% for path in hostvars[host].routing.paths|default([]) %}
-  http-request set-header x-routing-host {{ host }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path_beg {{ path }} }
+  http-request set-header x-routing-host {{ host }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ hostvars[host].routing.domain }} } { path_beg {{ path }} }
 {% endfor %}
 {% endif %}
 {% endfor %}
 {% if routing is defined and routing.default is defined %}
-  http-request set-header x-routing-host {{ routing.default }} if { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ routing.domain }} }
+  http-request set-header x-routing-host {{ routing.default }} if !letsencrypt_challenge { hdr(x-routing-host) undefined } { hdr(host) -i -n {{ routing.domain }} }
 {% endif %}
-  acl letsencrypt_challenge path_beg /.well-known/acme-challenge/
   use_backend backend_letsencrypt if letsencrypt_challenge
 {% if kibana_users is defined %}
   acl kibana_present hdr(host) -i -n '{{ kibana_domain|default(inventory_hostname) }}'
-- 
GitLab