Injection entête X-Forwarded-Prefix

Injection variable TRUSTED_PROXIES
Suppression variable haproxy_forwarded_port
2022-08-16 15:30:26 +02:00 · 2022-08-16 15:30:08 +02:00 · 2022-08-16 15:29:16 +02:00 · 2022-08-16 15:28:29 +02:00
12 changed files with 21 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -34,7 +34,6 @@ haproxy_oidc_test_base_path: /auth/test

 haproxy_forwarded_proto: https
 haproxy_forwarded_host: "%[req.hdr(Host)]"
-haproxy_forwarded_port: "%[dst_port]"

 # Hydra OIDC configuration

--- a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 PODMAN_ARGS="\
    --name 'cadoles-pod-hydra-dispatcher-v1' \
    --replace \
@ -17,4 +18,5 @@ PODMAN_ARGS="\
    -e 'DEFAULT_LOCALE={{ hydra_dispatcher_default_locale }}' \
    -e 'APP_LOCALES={{ hydra_dispatcher_available_locales | join(',') }}' \
    -e 'HYDRA_ADMIN_AUTHORIZED_HOSTS={{ hydra_dispatcher_admin_authorized_hosts | join(',') }}' \
+    -e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
 "
--- a/templates/cadoles-pod-hydra-oidc-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-oidc-v1.conf.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 PODMAN_ARGS="\
    --name 'cadoles-pod-hydra-oidc-v1' \
    --replace \
@ -17,4 +18,5 @@ PODMAN_ARGS="\
    -e 'OIDC_SCOPE={{ hydra_oidc_scope }}' \
    -e 'CLIENT_ID_FC={{ hydra_oidc_client_id }}' \
    -e 'CLIENT_SECRET_FC={{ hydra_oidc_client_secret }}' \
+    -e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
 "
--- a/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 PODMAN_ARGS="\
    -p 127.0.0.1:3001:3000 \
    --network=slirp4netns:allow_host_loopback=true \
--- a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 PODMAN_ARGS="\
    -p 127.0.0.1:3003:80 \
    --network=slirp4netns:allow_host_loopback=true \
--- a/templates/cadoles-pod-hydra-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-v1.conf.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 PODMAN_ARGS="\
    --name 'cadoles-pod-hydra-v1' \
    --replace \
--- a/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
+++ b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 PODMAN_ARGS="\
    -p 127.0.0.1:3002:80 \
    --network=slirp4netns:allow_host_loopback=true \
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 global
    log /dev/log	local0
    log /dev/log	local1 notice
@ -72,7 +73,6 @@ option forwardfor

 http-request set-header X-Forwarded-Proto {{ haproxy_forwarded_proto }}
 http-request set-header X-Forwarded-Host {{ haproxy_forwarded_host }}
-http-request set-header X-Forwarded-Port {{ haproxy_forwarded_port }}

 # Backend Hydra
 backend hydra
@ -85,6 +85,8 @@ backend hydra_dispatcher
    balance roundrobin
    # Suppression du préfixe /auth/dispatcher dans l'URL
    http-request set-path %[path,regsub(^{{ haproxy_hydra_dispatcher_base_path }}/,/)]
+    http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_dispatcher_base_path }}
+
    server hydra-login-dispatcher 127.0.0.1:3000 check

 {% if enable_hydra_passwordless %}
@ -93,6 +95,8 @@ backend hydra_passwordless
    balance roundrobin
    # Suppression du préfixe /auth/passwordless dans l'URL
    http-request set-path %[path,regsub(^{{ haproxy_hydra_passwordless_base_path }},)]
+    http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_passwordless_base_path }}
+
    server hydra-login-passwordless 127.0.0.1:3001 check
 {%- endif %}

@ -102,6 +106,8 @@ backend hydra_oidc
    balance roundrobin
    # Suppression du préfixe /auth/oidc dans l'URL
    http-request set-path %[path,regsub(^{{ haproxy_hydra_oidc_base_path }},)]
+    http-request set-header X-Forwarded-Prefix {{ haproxy_hydra_oidc_base_path }}
+
    server hydra-login-oidc 127.0.0.1:3004 check
 {%- endif %}

@ -117,5 +123,7 @@ backend oidc_test
    balance roundrobin
    # Suppression du préfixe /auth/test dans l'URL
    http-request set-path %[path,regsub(^{{ haproxy_oidc_test_base_path }},/)]
+    http-request set-header X-Forwarded-Prefix {{ haproxy_oidc_test_base_path }}
+
    server oidc-test 127.0.0.1:8080 check
 {% endif %}
--- a/templates/hydra-dispatcher-apps.yml.j2
+++ b/templates/hydra-dispatcher-apps.yml.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 hydra:
  apps:
 {% if enable_hydra_passwordless %}
--- a/templates/hydra-remote-user.yml.j2
+++ b/templates/hydra-remote-user.yml.j2
@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 remote_user:
  subject_header: "{{ hydra_saml_subject_header }}"
  headers_attributes_mapping: {{ hydra_saml_headers_attributes_mapping | to_json }}
--- a/templates/shibboleth-attribute-map.inc.xml.j2
+++ b/templates/shibboleth-attribute-map.inc.xml.j2
@ -1,3 +1,4 @@
+<!-- {{ ansible_managed }} -->
 {% for item in saml_attributes %}
 <Attribute {% for key,value in item.items() %}{% if value is not mapping %}{{ key }}="{{ value }}" {% endif %}{% endfor %}>
    {% if item.attributeDecoder is defined %}
--- a/templates/shibboleth-attribute-policy.inc.xml.j2
+++ b/templates/shibboleth-attribute-policy.inc.xml.j2
@ -1,3 +1,4 @@
+<!-- {{ ansible_managed }} -->
 {%- macro xmlnode(node) -%}
 <{{node.tag}}{% if node.attributes is defined %}{% for key,value in node.attributes.items() %} {{ key }}="{{ value }}"{% endfor %}{% endif %}{% if node.children is not defined %}/{% endif %}>
 {% if node.children is defined %}
Author	SHA1	Message	Date
wpetit	636a3a10d7	Injection entête X-Forwarded-Prefix	2022-08-16 15:30:26 +02:00
wpetit	93d8997f6f	Injection variable TRUSTED_PROXIES	2022-08-16 15:30:08 +02:00
wpetit	398040ab78	Suppression variable haproxy_forwarded_port	2022-08-16 15:29:16 +02:00
wpetit	91419d7424	feat: injection de la variable ansible_managed dans les templates	2022-08-16 15:28:29 +02:00