diff --git a/CHANGELOG.md b/CHANGELOG.md index 386e9de..475760f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/) ### Added +- add userlist - can specify the haproxy repository - add resolvers configuration - add debian11 support diff --git a/README.md b/README.md index 85d2eaa..081e0cf 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,16 @@ Install and configure haproxy - 8.8.8.8 ``` +- `haproxy_userlists` - hash with the userlist for basic auth + +``` + restricted: + group: + - admin + user: + - admin password 84375611a53741f7e94b09eb49127f41 groups admin +``` + - `haproxy_ssl_certificates` - hash with ssl certificates to copy ``` diff --git a/defaults/main.yml b/defaults/main.yml index affab71..f8747f8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -61,3 +61,4 @@ haproxy_backends: {} haproxy_ssl_certificates: {} haproxy_ips_lists: {} haproxy_resolvers: {} +haproxy_userlists: {} diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 931248f..c470455 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -15,6 +15,12 @@ haproxy_resolvers: dns: nameserver: dns1 127.0.0.1:53 + haproxy_userlists: + restricted: + group: + - admin + user: + - admin insecure-password password groups admin haproxy_frontends: main: bind: @@ -37,6 +43,11 @@ - acl_test1-https hdr(host) test1.example.net - acl_test2-https hdr(host) test2.example.net - acl_blacklist src -f /etc/haproxy/blacklist.list + - acl_auth_path path -i /auth/ + - acl_auth http_auth(restricted) + http-request: + - auth realm restricted if acl_auth_path !acl_auth + - return status 200 content-type "text/plain" string "Good" if acl_auth_path use_backend: - backend-test-https if acl_test1-https - backend-test-resolver if acl_test2-https diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 9d2f34b..31d2eea 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -41,3 +41,11 @@ def test_sockets(host): for port in [80, 5000]: socket = host.socket('tcp://0.0.0.0:%d' % (port)) assert socket.is_listening + +def test_auth(host): + cmd = host.run('curl -v -u admin:password http://127.0.0.1/auth/') + assert cmd.succeeded + assert cmd.stdout == 'Good' + cmd = host.run('curl -v -u admin:badpassword http://127.0.0.1/auth/') + assert cmd.succeeded + assert '401 Unauthorized' in cmd.stdout diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 index 7058dcc..7b2afcf 100644 --- a/templates/haproxy.cfg.j2 +++ b/templates/haproxy.cfg.j2 @@ -52,11 +52,24 @@ resolvers {{ resolver }} {{ key }} {{ value }} {% endif %} {% endfor %} + +{% endfor %} +{% for userlist, config in haproxy_userlists.items() %} +userlist {{ userlist }} +{% for key, value in config.items() %} +{% if value is iterable and value is not string %} +{% for option in value %} + {{ key }} {{ option }} +{% endfor %} +{% else %} + {{ key }} {{ value }} +{% endif %} {% endfor %} +{% endfor %} {% for frontend, config in haproxy_frontends.items() %} frontend {{ frontend }} -{% for key, value in config.items()|sort if key != 'acl' and key != 'use_backend' %} +{% for key, value in config.items() %} {% if key == "bind" %} bind {{ value["ip"] }}:{{ value["port"] }}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {{ value["ssl"]["crt"] }}{% endif %} {% endif %} @@ -69,16 +82,6 @@ frontend {{ frontend }} {{ key }} {{ value }} {% endif %} {% endfor %} -{% if 'acl' in config %} -{% for option in config['acl'] %} - acl {{ option }} -{% endfor %} -{% endif %} -{% if 'use_backend' in config %} -{% for option in config['use_backend'] %} - use_backend {{ option }} -{% endfor %} -{% endif %} {% endfor %}