From 3cb3e482ba4e99fcbb66bd72e4f97bea70747503 Mon Sep 17 00:00:00 2001 From: Alexander Nicke Date: Wed, 25 Sep 2024 16:47:19 +0200 Subject: [PATCH] fix: expect proxy protocol also for health check --- acceptance-tests/proxy_protocol_test.go | 4 ++-- jobs/haproxy/templates/haproxy.config.erb | 5 ++++- spec/haproxy/templates/expect_proxy_cidrs.txt_spec.rb | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/acceptance-tests/proxy_protocol_test.go b/acceptance-tests/proxy_protocol_test.go index 1057b0ce..a30f790c 100644 --- a/acceptance-tests/proxy_protocol_test.go +++ b/acceptance-tests/proxy_protocol_test.go @@ -66,14 +66,14 @@ var _ = Describe("Proxy Protocol", func() { }) }) - Context("expect_proxy", func() { + Context("expect_proxy_cidrs", func() { opsfileExpectProxyProtocol := `--- # Enable Proxy Protocol - type: replace path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/accept_proxy? value: false - type: replace - path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/expect_proxy? + path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/expect_proxy_cidrs? value: - 10.0.0.0/8 # Bosh Network CIDR ` diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb index e2a1ada9..c7ae7d36 100644 --- a/jobs/haproxy/templates/haproxy.config.erb +++ b/jobs/haproxy/templates/haproxy.config.erb @@ -365,6 +365,9 @@ listen health_check_http_url <% if p("ha_proxy.accept_proxy") && !p("ha_proxy.disable_health_check_proxy") -%> tcp-request connection expect-proxy layer4 unless LOCALHOST <%- end -%> + <% if_p("ha_proxy.expect_proxy_cidrs") && !p("ha_proxy.disable_health_check_proxy") do -%> + tcp-request connection expect-proxy layer4 if { src -f /var/vcap/jobs/haproxy/config/expect_proxy_cidrs.txt } + <%- end -%> acl http-routers_down nbsrv(<%= backends.first[:name] %>) eq 0 monitor fail if http-routers_down <% end -%> @@ -535,7 +538,7 @@ frontend https-in <%- end -%> <%- end -%> <% if_p("ha_proxy.expect_proxy_cidrs") do -%> - tcp-request connection expect-proxy layer4 if { src -f /var/vcap/jobs/haproxy/config/expect_proxy_cidrs.txt } + tcp-request connection expect-proxy layer4 if { src -f /var/vcap/jobs/haproxy/config/expect_proxy_cidrs.txt } <%- end -%> <%- if_p("ha_proxy.cidr_whitelist") do -%> acl whitelist src -f /var/vcap/jobs/haproxy/config/whitelist_cidrs.txt diff --git a/spec/haproxy/templates/expect_proxy_cidrs.txt_spec.rb b/spec/haproxy/templates/expect_proxy_cidrs.txt_spec.rb index 82eafac3..d321259a 100644 --- a/spec/haproxy/templates/expect_proxy_cidrs.txt_spec.rb +++ b/spec/haproxy/templates/expect_proxy_cidrs.txt_spec.rb @@ -11,7 +11,7 @@ expect(template.render({ 'ha_proxy' => { 'expect_proxy_cidrs' => ['10.5.6.7/27', - '2001:db8::/32'] + '2001:db8::/32'] } })).to eq(<<~EXPECTED) # generated from expect_proxy_cidrs.txt.erb