Add secure cookies for SSL frontends.

ComputeStacks · Sep 27, 2023 · a4238a6 · a4238a6
1 parent f063bc3
commit a4238a6
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/app/views/api/stacks/load_balancers/haproxy/_backend-http.erb b/app/views/api/stacks/load_balancers/haproxy/_backend-http.erb
@@ -1,5 +1,5 @@
 <% load_balancer.container_services.each do |service| %>
-	<% next if service.containers.empty? %>
+  <% next if service.containers.empty? %>
   <% service.ingress_rules.where(external_access: true, proto: 'http').each do |ingress| %>
 backend <%= Digest::MD5.hexdigest("#{service.name}#{ingress.id}") %>
   mode http
@@ -16,3 +16,22 @@ backend <%= Digest::MD5.hexdigest("#{service.name}#{ingress.id}") %>
     <% end %>
   <% end %>
 <% end %>
+
+<% load_balancer.container_services.each do |service| %>
+	<% next if service.containers.empty? %>
+  <% service.ingress_rules.where(external_access: true, proto: 'http').each do |ingress| %>
+backend S_<%= Digest::MD5.hexdigest("#{service.name}#{ingress.id}") %>
+  mode http
+  option redispatch
+  option httpchk HEAD /
+  cookie SERVERID insert indirect nocache httponly secure
+    <% service.containers.each do |container| %>
+      <% next if container.ip_address.nil? %>
+      <% if !load_balancer.direct_connect && (node != container.node) %>
+  server <%= container.name %> <%= container.node.primary_ip %>:443 ssl verify none maxconn <%= load_balancer.maxconn_c %> maxqueue <%= load_balancer.max_queue %> cookie s<%= container.name.split('-').last %>
+      <% else %>
+  server <%= container.name %> <%= container.ip_address.ipaddr %>:<%= ingress.port %> maxconn <%= load_balancer.maxconn_c %> maxqueue <%= load_balancer.max_queue %> cookie s<%= container.name.split('-').last %><% if ingress.backend_ssl %> ssl verify none<% end %>
+      <% end %>
+    <% end %>
+  <% end %>
+<% end %>
diff --git a/app/views/api/stacks/load_balancers/haproxy/_frontend-http.erb b/app/views/api/stacks/load_balancers/haproxy/_frontend-http.erb
@@ -35,7 +35,7 @@ frontend https
   <% if domain.enable_hsts_header? %>
   http-response set-header Strict-Transport-Security "max-age=16000000; preload;" if host_rule_<%= index %>
   <% end %>
-  use_backend <%= Digest::MD5.hexdigest("#{service.name}#{ingress.id}") %> if host_rule_<%= index %>
+  use_backend S_<%= Digest::MD5.hexdigest("#{service.name}#{ingress.id}") %> if host_rule_<%= index %>
         <% index += 1 %>
       <% end %>
     <% end %>