From 5204e939fabd851d473aca2325da1c1a02e7a383 Mon Sep 17 00:00:00 2001 From: James Gibson Date: Thu, 10 Dec 2020 12:17:55 +0000 Subject: [PATCH] Add security.txt to haproxy frontend If keystone_security_txt_content is defined in user variables, the keystone service will host this file at the following locations /security.txt and /.well-known/security.txt as defined in https://securitytxt.org/ This patch uses a HaProxy ACL to forward request to the Horizon frontend for */security.txt to the keysteone backend. Depends-On: https://review.opendev.org/766437 Change-Id: I2321f29362945f25c7dcfc5f5f8365aa2c025842 --- inventory/group_vars/haproxy/haproxy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml index 7aae027e96..7cc19c8cbf 100644 --- a/inventory/group_vars/haproxy/haproxy.yml +++ b/inventory/group_vars/haproxy/haproxy.yml @@ -35,6 +35,11 @@ haproxy_repo_git_whitelist_networks: "{{ haproxy_whitelist_networks }}" haproxy_repo_cache_whitelist_networks: "{{ haproxy_whitelist_networks }}" haproxy_opendaylight_whitelist_networks: "{{ haproxy_whitelist_networks }}" +haproxy_security_txt_acl: + keystone-security-txt-acl: + rule: "path_end /security.txt" + backend_name: keystone_service + haproxy_default_services: - service: haproxy_service_name: galera @@ -205,6 +210,7 @@ haproxy_default_services: haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}" haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}" + haproxy_acls: "{{ keystone_security_txt_content is defined | ternary(haproxy_security_txt_acl, {}) }}" - service: haproxy_service_name: letsencrypt haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"