setip haproxy acls

.gitignore

@@ -1,13 +1,16 @@
 *.pyc
 __pycache
 
-#ignore osx shit
+# ignore osx shit
 .DS_Store
 
-#ignore env var files
+# ignore env var files
 .env.dev
 .env.prod
 
+# ignore lb allowed_ips
+lb/allowed_ips
+
 # ignore letsencrypt generated certificates
 data/certbot/etc/*
 !data/certbot/etc/.placeholder

docker-compose.yml

@@ -45,7 +45,7 @@ services:
   pgadmin:
     image: dpage/pgadmin4
     #volumes:
-    #   - "./data/dbadmin:/var/lib/pgadmin"
+    #  - "./data/dbadmin:/var/lib/pgadmin"
     env_file:
       - ./.env.prod
     restart: always

lb/haproxy.cfg

@@ -57,20 +57,28 @@ frontend https
     http-response set-header Access-Control-Max-Age 3628800
     http-response set-header Access-Control-Allow-Methods "GET"
 
-    use_backend %[req.hdr(Host),lower]
+    # ACL
+    acl acl_allowed src -f /etc/haproxy/allowed_ips
+    acl acl_forestnet -i forest.deflax.net
+    acl acl_forestdb -i db.forest.deflax.net
+    acl acl_osmap -i map.deflax.net
 
-backend map.deflax.net
+    use_backend forestnet if acl_forestnet
+    use_backend forestdb if acl_forestdb acl_allowed
+    use_backend osmap if acl_osmap
+
+backend osmap
     # Get from cache / put in cache
     http-request cache-use mapscache
     http-response cache-store mapscache
     # server list
     server s1 osmtile:80 check
 
-backend forest.deflax.net
+backend forestnet
     # server list
     server s1 flask:5000 check
 
-backend db.forest.deflax.net
+backend forestdb
     server s1 pgadmin:80 check
 
 #backend docs.deflax.net