Add https redirect, bind agent service to IP address in local network…

…, add acl for access to port 80
canonical · Aug 1, 2024 · a4c37f7 · a4c37f7
1 parent 3583fbb
commit a4c37f7
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/anvil-python/anvil/commands/haproxy.py b/anvil-python/anvil/commands/haproxy.py
@@ -28,6 +28,7 @@
     AddMachineUnitsStep,
     DeployMachineApplicationStep,
 )
+from sunbeam.utils import get_local_ip_by_default_route
 
 from anvil.jobs.manifest import Manifest
 from anvil.jobs.steps import RemoveMachineUnitStep
@@ -142,7 +143,6 @@ def has_prompts(self) -> bool:
         else:
             return True
 
-
     def prompt(self, console: Console | None = None) -> None:
         variables = questions.load_answers(self.client, self._HAPROXY_CONFIG)
         variables.setdefault("virtual_ip", "")
@@ -207,25 +207,29 @@ def extra_tfvars(self) -> dict[str, Any]:
 
     def get_tls_services_yaml(self, vip: str) -> str:
         """Get the HAProxy services.yaml for TLS, inserting the VIP for the frontend bind"""
-        services = (
-            """- service_name: incoming
+        services: str = (
+            """- service_name: haproxy_service
   service_host: """
             ""
             + vip
-            + """""
+            + """
   service_port: 443
   service_options:
     - balance leastconn
     - cookie SRVNAME insert
-    - use_backend haproxy_service
+    - http-request redirect scheme https unless { ssl_fc }
   server_options: maxconn 100 cookie S{i} check
   crts: [DEFAULT]
-- service_name: haproxy_service
-  service_host: "0.0.0.0"
+- service_name: agent-service
+  service_host: """
+            + get_local_ip_by_default_route()
+            + """
   service_port: 80
   service_options:
     - balance leastconn
     - cookie SRVNAME insert
+    - acl is-internal src 10.30.0.0/24
+    - use_backend haproxy_service if is-internal
   server_options: maxconn 100 cookie S{i} check
 """
         )