@@ -164,15 +164,7 @@ frontend public
164164 acl secure_redirect base,map_reg(/var/lib/haproxy/conf/os_route_http_redirect.map) -m found
165165 redirect scheme https if secure_redirect
166166
167- # Check if it is an edge or reencrypt route exposed insecurely.
168- acl route_http_expose base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map) -m found
169- use_backend %[base,map_reg(/var/lib/haproxy/conf/os_route_http_expose.map)] if route_http_expose
170-
171- # map to http backend
172- # Search from most specific to general path (host case).
173- # Note: If no match, haproxy uses the default_backend, no other
174- # use_backend directives below this will be processed.
175- use_backend be_http:%[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)]
167+ use_backend %[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)]
176168
177169 default_backend openshift_default
178170
@@ -233,17 +225,11 @@ frontend fe_sni
233225 # before matching, or any requests containing uppercase characters will never match.
234226 http-request set-header Host %[req.hdr(Host),lower]
235227
236- # check re-encrypt backends first - from most specific to general path.
237- acl reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found
238-
239- # Search from most specific to general path (host case).
240- use_backend be_secure:%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt
241-
242- # map to http backend
228+ # map to backend
243229 # Search from most specific to general path (host case).
244230 # Note: If no match, haproxy uses the default_backend, no other
245231 # use_backend directives below this will be processed.
246- use_backend be_edge_http: %[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)]
232+ use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)]
247233
248234 default_backend openshift_default
249235
@@ -274,17 +260,12 @@ frontend fe_no_sni
274260 # before matching, or any requests containing uppercase characters will never match.
275261 http-request set-header Host %[req.hdr(Host),lower]
276262
277- # check re-encrypt backends first - path or host based.
278- acl reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found
279-
280- # Search from most specific to general path (host case).
281- use_backend be_secure:%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt
282263
283- # map to http backend
264+ # map to backend
284265 # Search from most specific to general path (host case).
285266 # Note: If no match, haproxy uses the default_backend, no other
286267 # use_backend directives below this will be processed.
287- use_backend be_edge_http: %[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)]
268+ use_backend %[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)]
288269
289270 default_backend openshift_default
290271
@@ -494,46 +475,45 @@ backend be_tcp:{{$cfgIdx}}
494475{{ end -}}{{/* end if router allows wildcard routes */}}
495476{{ end -}}{{/* end wildcard domain map template */}}
496477
478+
479+
497480{{/*
498- os_http_be.map: contains a mapping of www.example.com -> <service name>. This map is used to discover the correct backend
499- by attaching a prefix (be_http:) by use_backend statements if acls are matched.
481+ os_http_be.map : contains a mapping of www.example.com -> <service name>. This map is used to discover the correct backend
482+ by attaching a prefix: be_http for http routes
483+ be_edge_http for edge routes with InsecureEdgeTerminationPolicy Allow
484+ be_secure for reencrypt routes with InsecureEdgeTerminationPolicy Allow
500485*/}}
501486{{ define "/var/lib/haproxy/conf/os_http_be.map" -}}
502487{{ range $idx, $cfg := .State -}}
503488{{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "") -}}
504- {{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
489+ {{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_http:{{$idx}}
490+ {{ end -}}
491+ {{ if and (ne $cfg.Host "") (and (matchValues (print $cfg.TLSTermination) "edge" "reencrypt") (eq $cfg.InsecureEdgeTerminationPolicy "Allow")) -}}
492+ {{ if (eq $cfg.TLSTermination "edge") -}}
493+ {{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_edge_http:{{$idx}}
494+ {{ else -}}
495+ {{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_secure:{{$idx}}
496+ {{ end -}}
505497{{ end -}}
506498{{ end -}}
507- {{ end -}}{{/* end http host map template */}}
499+ {{ end -}}
508500
509501{{/*
510- os_edge_http_be.map: same as os_http_be.map but allows us to separate tls from non-tls routes to ensure we don't expose
511- a tls only route on the unsecure port
502+ os_edge_reencrypt_be.map : contains a mapping of www.example.com -> <service name>. This map is similar to os_http_be.map but for tls routes.
503+ by attaching prefix: be_edge_http for edge terminated routes
504+ be_secure for reencrypt routes
512505*/}}
513506{{ define "/var/lib/haproxy/conf/os_edge_http_be.map" -}}
514507{{ range $idx, $cfg := .State -}}
515508{{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "edge") -}}
516- {{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
517- {{ end -}}
518- {{ end -}}
519- {{ end -}}{{/* end edge http host map template */}}
520-
521- {{/*
522- os_route_http_expose.map: contains a mapping of www.example.com -> <service name>.
523- Map is used to also expose edge terminated and reencrypt routes via an insecure scheme
524- (http) if acls match for routes with insecure option set to expose.
525- */}}
526- {{ define "/var/lib/haproxy/conf/os_route_http_expose.map" -}}
527- {{ range $idx, $cfg := .State -}}
528- {{ if and (ne $cfg.Host "") (and (matchValues (print $cfg.TLSTermination) "edge" "reencrypt") (eq $cfg.InsecureEdgeTerminationPolicy "Allow")) -}}
529- {{ if (eq $cfg.TLSTermination "edge") -}}
530509{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_edge_http:{{$idx}}
531- {{ else -}}
510+ {{ end -}}
511+ {{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "reencrypt") -}}
532512{{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} be_secure:{{$idx}}
533- {{ end -}}
534513{{ end -}}
535514{{ end -}}
536- {{ end -}}{{/* end edge and reencrypt expose http host map template */}}
515+ {{ end -}}{{/* end edge http host map template */}}
516+
537517
538518{{/*
539519 os_route_http_redirect.map: contains a mapping of www.example.com -> <service name>.
@@ -573,19 +553,6 @@ backend be_tcp:{{$cfgIdx}}
573553{{ end -}}
574554{{ end -}}{{/* end sni passthrough map template */}}
575555
576-
577- {{/*
578- os_reencrypt.map: marker that the host is configured to use a secure backend, allows the selection of a backend
579- that does specific checks that avoid mitm attacks: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-ssl
580- */}}
581- {{ define "/var/lib/haproxy/conf/os_reencrypt.map" -}}
582- {{ range $idx, $cfg := .State -}}
583- {{ if and (ne $cfg.Host "") (eq $cfg.TLSTermination "reencrypt") -}}
584- {{generateRouteRegexp $cfg.Host $cfg.Path $cfg.IsWildcard}} {{$idx}}
585- {{ end -}}
586- {{ end -}}
587- {{ end -}}{{/* end reencrypt map template */}}
588-
589556{{/*
590557 cert_config.map: contains a mapping of <cert-file> -> example.org
591558 This map is used to present the appropriate cert
0 commit comments