Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Loadbalancer filter includes
- :HAPROXY - [0:0]
- -A INPUT -j HAPROXY
- {# Loop through the haproxy_frontends looking for backends, then use the
- backend members' allow_hosts to create a list of ACL allows for this
- frontend #}
- {% for frontend in haproxy_frontend |
- selectattr('default_backend', 'defined') %}
- {# Use the 'allow_group_var' attribute to search for connection source IPs
- to allow access for if defined on the allow_groups hosts #}
- {% set _allowed_host_var = frontend.allow_groups_var |
- default('loadbalancer_connection_source') %}
- {# Build an allowed list of IPs for all hosts which are members of one of the
- allow_groups for this frontend, and have the _allowed_host_var defined #}
- {% set _allowed = frontend.allow_groups |
- map('extract', groups) |
- sum(start=[]) |
- map('extract', hostvars, _allowed_host_var) |
- select('defined') |
- unique | list %}
- {# Now dump the allow rules for this frontend #}
- {% for allow in _allowed %}
- {# Accommodate allow rules for multiple bind addresses #}
- {% for bind in frontend.bind %}
- {% set listen_port = bind.listen.split(':')[-1] %}
- {# IPv6 compatible listen_host #}
- {% set listen_host = bind.listen.split(':')[:-1] | join(':') %}
- -A HAPROXY -s {{ allow }} -d {{ listen_host }} -p tcp -m tcp --dport {{ listen_port }} -j ACCEPT -m comment --comment "Frontend {{ frontend.name }} allowed"
- {% endfor %}
- {% endfor %}
- {% endfor %}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement