diff --git a/README.md b/README.md index 02cd57e..95ea5a3 100644 --- a/README.md +++ b/README.md @@ -123,8 +123,15 @@ haproxy_default_monitor_uri: # Userlist haproxy_userlist: - -# Stats + - stats-auth: + groups: + - "admin users admin" + - "readonly users user" + users: + - "admin insecure-password opqrstuvw" + - "user insecure-password abcdefghi" + +# Stats with HTTP Basic Auth and a single user haproxy_stats: true haproxy_stats_address: '*' haproxy_stats_port: 9001 @@ -145,6 +152,23 @@ haproxy_stats_timeouts: - connect 100s - queue 100s +# Stats with HTTP Basic Auth using an userlist +haproxy_stats: true +haproxy_stats_address: "::" +haproxy_stats_port: 8081 +haproxy_stats_ssl: false +haproxy_stats_uri: /stats +haproxy_stats_auth: +haproxy_stats_acls: + - "AUTH http_auth(stats-auth)" + - "AUTH_ADMIN http_auth_group(stats-auth) admin" +haproxy_stats_options: + - refresh 5s + - show-legends + - show-node + - http-request auth unless AUTH + - admin if AUTH_ADMIN + # SSL haproxy_ssl_certificate: /etc/ssl/uoi.io/uoi.io.pem haproxy_ssl_options: no-sslv3 no-tls-tickets force-tlsv12 diff --git a/defaults/main.yml b/defaults/main.yml index 178fc6a..6492fea 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -89,6 +89,7 @@ haproxy_stats_address: '*' haproxy_stats_port: 9001 haproxy_stats_ssl: false haproxy_stats_auth: true +haproxy_stats_acls: [] haproxy_stats_user: haproxy-stats haproxy_stats_password: B1Gp4sSw0rD!! haproxy_stats_uri: / diff --git a/templates/etc/haproxy/haproxy-stats.cfg.j2 b/templates/etc/haproxy/haproxy-stats.cfg.j2 index 83c2f04..88628ea 100644 --- a/templates/etc/haproxy/haproxy-stats.cfg.j2 +++ b/templates/etc/haproxy/haproxy-stats.cfg.j2 @@ -10,6 +10,11 @@ listen stats {% endif %} mode http maxconn 10 +{% if haproxy_stats_acls is defined and haproxy_stats_acls|length %} + {% for acl in haproxy_stats_acls %} + acl {{ acl }} + {% endfor %} +{% endif %} stats enable {% for opt in haproxy_stats_options %} stats {{ opt }}