From a4c37f7030c1bddbc7e990d79eb1db89b2c60e78 Mon Sep 17 00:00:00 2001 From: Wyatt Rees Date: Thu, 1 Aug 2024 14:19:40 -0600 Subject: [PATCH] Add https redirect, bind agent service to IP address in local network, add acl for access to port 80 --- anvil-python/anvil/commands/haproxy.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/anvil-python/anvil/commands/haproxy.py b/anvil-python/anvil/commands/haproxy.py index 92aa576..8a083b3 100644 --- a/anvil-python/anvil/commands/haproxy.py +++ b/anvil-python/anvil/commands/haproxy.py @@ -28,6 +28,7 @@ AddMachineUnitsStep, DeployMachineApplicationStep, ) +from sunbeam.utils import get_local_ip_by_default_route from anvil.jobs.manifest import Manifest from anvil.jobs.steps import RemoveMachineUnitStep @@ -142,7 +143,6 @@ def has_prompts(self) -> bool: else: return True - def prompt(self, console: Console | None = None) -> None: variables = questions.load_answers(self.client, self._HAPROXY_CONFIG) variables.setdefault("virtual_ip", "") @@ -207,25 +207,29 @@ def extra_tfvars(self) -> dict[str, Any]: def get_tls_services_yaml(self, vip: str) -> str: """Get the HAProxy services.yaml for TLS, inserting the VIP for the frontend bind""" - services = ( - """- service_name: incoming + services: str = ( + """- service_name: haproxy_service service_host: """ "" + vip - + """"" + + """ service_port: 443 service_options: - balance leastconn - cookie SRVNAME insert - - use_backend haproxy_service + - http-request redirect scheme https unless { ssl_fc } server_options: maxconn 100 cookie S{i} check crts: [DEFAULT] -- service_name: haproxy_service - service_host: "0.0.0.0" +- service_name: agent-service + service_host: """ + + get_local_ip_by_default_route() + + """ service_port: 80 service_options: - balance leastconn - cookie SRVNAME insert + - acl is-internal src 10.30.0.0/24 + - use_backend haproxy_service if is-internal server_options: maxconn 100 cookie S{i} check """ )