Add security.txt to haproxy frontend

If keystone_security_txt_content is defined in user variables, the keystone service will host this file at the following locations /security.txt and /.well-known/security.txt as defined in https://securitytxt.org/ This patch uses a HaProxy ACL to forward request to the Horizon frontend for */security.txt to the keysteone backend. Depends-On: https://review.opendev.org/766437 Change-Id: I2321f29362945f25c7dcfc5f5f8365aa2c025842
2020-12-10 12:17:55 +00:00 · 2020-12-10 12:17:55 +00:00 · 5204e939fa
commit 5204e939fa
parent 319f5263e8
1 changed files with 6 additions and 0 deletions
--- a/inventory/group_vars/haproxy/haproxy.yml
+++ b/inventory/group_vars/haproxy/haproxy.yml
@ -35,6 +35,11 @@ haproxy_repo_git_whitelist_networks: "{{ haproxy_whitelist_networks }}"
 haproxy_repo_cache_whitelist_networks: "{{ haproxy_whitelist_networks }}"
 haproxy_opendaylight_whitelist_networks: "{{ haproxy_whitelist_networks }}"

+haproxy_security_txt_acl:
+  keystone-security-txt-acl:
+    rule: "path_end /security.txt"
+    backend_name: keystone_service
+
 haproxy_default_services:
  - service:
      haproxy_service_name: galera
@ -205,6 +210,7 @@ haproxy_default_services:
      haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
      haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
      haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
+      haproxy_acls: "{{ keystone_security_txt_content is defined | ternary(haproxy_security_txt_acl, {}) }}"
  - service:
      haproxy_service_name: letsencrypt
      haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"