Deny access to public /server-status in http Openstack services

This change block access to the public /server-status url on all
http services exposed by HAProxy, also fixes an issue with Horizon
where 'Require all granted' open access to the /server-status in
the HAProxy-less configurations. Without this change the issue
affects only Ubuntu/Debian installations where mod_status in Apache2
enabled by default.

Closes-Bug: #1996913
Change-Id: I3ec1af6353c3ecc64589599abe375b0ae9b14d5c
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2

@@ -16,6 +16,9 @@ frontend {{ service_name }}_front
     mode {{ service_mode }}
     {% endif %}
     {% if service_mode == 'http' %}
+    {% if external|bool %}
+    http-request deny if { path -i -m beg /server-status }
+    {% endif %}
     {# Delete any pre-populated XFP header #}
     http-request del-header X-Forwarded-Proto
         {% for http_option in frontend_http_extra %}

ansible/roles/horizon/templates/horizon.conf.j2

@@ -30,6 +30,10 @@ TraceEnable off
         Require all granted
     </Location>
 
+    <Location "/server-status">
+        Require local
+    </Location>
+
     Alias /static {{ python_path }}/static
     <Location "/static">
         SetHandler None

releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Restrict the access to the http Openstack services exposed /server-status
+    by default through the HAProxy on the public endpoint. Fixes issue for
+    Ubuntu/Debian installations. RockyLinux/CentOS not affected.
+    `LP#1996913 <https://bugs.launchpad.net/kolla-ansible/+bug/1996913>`__