Merge pull request #59 from magenbrot/haproxy-stats-acls

allow ACLs in stats

README.md

@@ -123,8 +123,15 @@ haproxy_default_monitor_uri:
 
 # Userlist
 haproxy_userlist:
-
-# Stats
+  - stats-auth:
+      groups:
+        - "admin users admin"
+        - "readonly users user"
+      users:
+        - "admin insecure-password opqrstuvw"
+        - "user insecure-password abcdefghi"
+
+# Stats with HTTP Basic Auth and a single user
 haproxy_stats: true
 haproxy_stats_address: '*'
 haproxy_stats_port: 9001
@@ -145,6 +152,23 @@ haproxy_stats_timeouts:
   - connect 100s
   - queue 100s
 
+# Stats with HTTP Basic Auth using an userlist
+haproxy_stats: true
+haproxy_stats_address: "::"
+haproxy_stats_port: 8081
+haproxy_stats_ssl: false
+haproxy_stats_uri: /stats
+haproxy_stats_auth:
+haproxy_stats_acls:
+  - "AUTH http_auth(stats-auth)"
+  - "AUTH_ADMIN http_auth_group(stats-auth) admin"
+haproxy_stats_options:
+  - refresh 5s
+  - show-legends
+  - show-node
+  - http-request auth unless AUTH
+  - admin if AUTH_ADMIN
+
 # SSL
 haproxy_ssl_certificate: /etc/ssl/uoi.io/uoi.io.pem
 haproxy_ssl_options: no-sslv3 no-tls-tickets force-tlsv12

defaults/main.yml

@@ -89,6 +89,7 @@ haproxy_stats_address: '*'
 haproxy_stats_port: 9001
 haproxy_stats_ssl: false
 haproxy_stats_auth: true
+haproxy_stats_acls: []
 haproxy_stats_user: haproxy-stats
 haproxy_stats_password: B1Gp4sSw0rD!!
 haproxy_stats_uri: /

templates/etc/haproxy/haproxy-stats.cfg.j2

@@ -10,6 +10,11 @@ listen stats
 {% endif %}
     mode       http
     maxconn    10
+{% if haproxy_stats_acls is defined and haproxy_stats_acls|length %}
+    {% for acl in haproxy_stats_acls %}
+    acl        {{ acl }}
+    {% endfor %}
+{% endif %}
     stats      enable
 {% for opt in haproxy_stats_options %}
     stats      {{ opt }}