Added ACL module in service.conf.j2

Added an option to configure acl in haproxy_server role by modifying service.conf.j2 file. It makes developer easy to specify multiple acl rules to front end that maps to a single backend server. Change-Id: I528d9f276b4e1f680dd35d77999836f5a87c7c87
2016-11-03 15:21:01 +00:00 · 2016-11-03 15:21:01 +00:00 · 31ff67dc86
commit 31ff67dc86
parent c9a4cba266
3 changed files with 34 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -50,7 +50,10 @@ haproxy_backup_nodes: []
 #         - "forwardfor"
 #         - "httpchk"
 #         - "httplog"
-
+#       haproxy_acls:
+#         white_list:
+#           rule: "src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
+#           backend_name: "mybackend"
 galera_monitoring_user: monitoring
 haproxy_bind_on_non_local: False

--- a/doc/source/configure-haproxy.rst
+++ b/doc/source/configure-haproxy.rst
@ -187,3 +187,27 @@ The following example shows extra VIP addresses defined in the
   extra_lb_vip_addresses:
     - 10.0.0.10
     - 192.168.0.10
+
+Adding Access Control Lists to HAProxy front end
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Adding ACL rules in HAProxy is easy. You just need to define haproxy_acls and
+add the rules in the variable
+
+Here is an example that shows how to achieve the goal
+
+.. code-block:: yaml
+
+
+   - service:
+          haproxy_service_name: influxdb-relay
+          haproxy_acls:
+              write_queries:
+                 rule: "path_sub -i write"
+              read_queries:
+                 rule: "path_sub -i query"
+                 backend_name: "influxdb"
+
+This will add two acl rules ``path_sub -i write`` and ``path_sub -i query``  to
+the front end and use the backend specified in the rule. If no backend is specified
+it will use a default ``haproxy_service_name`` backend.
--- a/templates/service.j2
+++ b/templates/service.j2
@ -53,6 +53,12 @@ frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
    tcp-request content accept if white_list
    tcp-request content reject
 {% endif %}
+{% if item.service.haproxy_acls is defined %}
+{%   for key, value in item.service.haproxy_acls.items() %}
+    acl {{ key }} {{ value.rule }}
+    use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-back if {{ key }}
+{%   endfor %}
+{% endif %}
 {% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
    reqadd X-Forwarded-Proto:\ https
 {% endif %}