Merge pull request nuriel77#88 from nuriel77/feat/haproxy-whitelist

Allow usage of white list file, add whitelist acl to ratelimits
olexiyb · Jun 11, 2018 · acf361c · acf361c
2 parents 2be44d3 + 3a1b8ff
commit acf361c
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 5 deletions.
diff --git a/group_vars/all/lb.yml b/group_vars/all/lb.yml
@@ -26,13 +26,25 @@ haproxy_username: haproxy
 haproxy_base_version: 1.8
 haproxy_min_version: 3
 
+# A list of IPs to whitelist on haproxy
+# The IPs in this list will override command
+# limitations and rate limiting rules.
+haproxy_whitelist_file: /etc/haproxy/whitelist.lst
+
+# If set to `false`, the list of IPs below will be
+# written to the haproxy config and managed in
+# the haroxy config file only. If set to `true`,
+# the above file will be used to whitelist IPs.
+haproxy_use_whitelist_file: false
+
 # A list of IPs to whitelist on haproxy
 # This will allow those IPs to bypass command 
 # regex limitations. The format is a yaml list
 # thus ['value', 'value'] or `- value` on each
 # new line.
 haproxy_whitelist:
   - 127.0.0.1
+#   - 10.20.30.40/22 # -> example IP with cidr notation
 
 # Commands to deny access to
 haproxy_deny_regex: '(get|remove|add)Neighbors|attachToTangle|interruptAttachingToTangle'

diff --git a/roles/loadbalancer/tasks/lb.yml b/roles/loadbalancer/tasks/lb.yml
@@ -89,6 +89,20 @@
   copy:
     src: files/haproxy.logrotate
     dest: /etc/logrotate.d/haproxy
+
+- name: copy whitelist file
+  template:
+    src: templates/whitelist.lst.j2
+    dest: "{{ haproxy_whitelist_file }}"
+    force: "{{ overwrite | default('no') }}"
+  notify:
+    - restart haproxy
+  tags:
+    - haproxy_cfg
+  when:
+    - haproxy_use_whitelist_file is defined
+    - haproxy_use_whitelist_file|bool == True
+    - haproxy_whitelist_file is defined
 
 - name: copy haproxy config
   template:

diff --git a/roles/loadbalancer/templates/haproxy.cfg.j2 b/roles/loadbalancer/templates/haproxy.cfg.j2
@@ -42,8 +42,11 @@ frontend iri_front
     option log-separate-errors
     option http-buffer-request
 
-    # Define source whitelist
+{% if haproxy_use_whitelist_file is defined and haproxy_use_whitelist_file|bool == True and haproxy_whitelist_file is defined  %}
+    acl whitelist src -f {{ haproxy_whitelist_file }}
+{% else %}
     acl whitelist src {{ haproxy_whitelist | join(" ") }}
+{% endif %}
 
     # id=0 to store body for logging
     declare capture request len 40000
@@ -106,6 +109,12 @@ backend iri_back
     timeout server-fin 5m
     filter compression
 
+{% if haproxy_use_whitelist_file is defined and haproxy_use_whitelist_file|bool == True and haproxy_whitelist_file is defined  %}
+    acl whitelist src -f {{ haproxy_whitelist_file }}
+{% else %}
+    acl whitelist src {{ haproxy_whitelist | join(" ") }}
+{% endif %}
+
     stick-table type ip size 200k expire 30s store conn_rate(3s),http_req_rate(10s),conn_cur,sess_rate(3s)
 
     # dynamic stuff for frontend + raise gpc0 counter
@@ -116,11 +125,11 @@ backend iri_back
 
     # abuser marking
     acl mark_as_abuser   sc1_inc_gpc0 gt 0
-    tcp-request content  reject if conn_rate_abuse mark_as_abuser
-    tcp-request content  reject if http_rate_abuse mark_as_abuser
-    tcp-request content  reject if conn_cur_abuse mark_as_abuser
+    tcp-request content  reject if conn_rate_abuse mark_as_abuser !whitelist
+    tcp-request content  reject if http_rate_abuse mark_as_abuser !whitelist
+    tcp-request content  reject if conn_cur_abuse mark_as_abuser !whitelist
 
-    #acl is_bad lua.check_post -m str nichthabenwollen
+    #acl is_bad lua.check_post -m str somebadstring
     #http-request deny if is_bad
 
     balance source

diff --git a/roles/loadbalancer/templates/whitelist.lst.j2 b/roles/loadbalancer/templates/whitelist.lst.j2
@@ -0,0 +1 @@
+{{ haproxy_whitelist | join("\n") }}