Allow customisation of stick-tables for each service.

A new variable "haproxy_stick_table" is added which allows a custom stick-table to be supplied that is used as the default stick-table for all haproxy back-ends. In addition, the variable service.haproxy_stick_table can be defined for each service to allow a unique stick-table to be supplied for a particular service. The old default stick-table definition is removed as there was no use case defined for it in this role before. An example is added to defaults/main.yml to show how the custom stick-table can be used to rate-limit requests that generate 4xx responses which commonly occur during vulnerability scanning or credential stuffing attacks. There are many other uses for stick-tables, consult the HAProxy documentation for details. Change-Id: I50daba08c10f071157d6450ea2fa97df448f99ec
2022-07-04 18:43:37 +01:00 · 2022-07-04 18:43:37 +01:00 · 06e76706c7
parent be9a66c280
commit 06e76706c7
3 changed files with 21 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -67,6 +67,10 @@ haproxy_service_configs: []
 #         letsencrypt-acl:
 #           rule: "path_beg /.well-known/acme-challenge/"
 #           backend_name: letsencrypt
+#       haproxy_stick_table:
+#         - "stick-table  type ipv6  size 256k  expire 10s  store http_err_rate(10s)"
+#         - "http-request track-sc0 src"
+#         - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 10.0.0.0/8 } !{ src 172.16.0.0/12 } !{ src 192.168.0.0/16 }"
 #   - service:
 #       # https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
 #       haproxy_service_name: prometheus-metrics
--- a/releasenotes/notes/custom-stick-tables-1c790fe223bb0d5d.yaml
+++ b/releasenotes/notes/custom-stick-tables-1c790fe223bb0d5d.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    A new variable ``haproxy_stick_table`` can be defined to apply a
+    customised stick-table to all backends on the loadbalancer. In addition,
+    ``haproxy_stick_table`` can be set in each service definition to have a
+    customised stick-table for a particular backend.
+upgrade:
+  - |
+    A default stick-table was previously applied to all backends by default
+    but did not have any specific purpose. This is now removed, and the variable
+    ``haproxy_stick_table`` should be used to supply a list of config lines
+    to be applied to each backend to control stick-table functionality.
--- a/templates/service.j2
+++ b/templates/service.j2
@ -94,8 +94,10 @@ backend {{ item.service.haproxy_service_name }}-back
    timeout server {{ item.service.haproxy_timeout_server }}
 {% endif %}
 {% if (item.service.haproxy_stick_table_enabled | default(true) | bool) %}
-    stick store-request src
-    stick-table type ip size 256k expire 30m
+{%   set stick_table = item.service.haproxy_stick_table|default( haproxy_stick_table | default([])) %}
+{%   for entry in stick_table %}
+    {{ entry }}
+{%   endfor %}
 {% endif %}
 {% if request_option == "http" %}
    option forwardfor