Open
Description
I have another proposal, so here it comes... If you have time, I'd like your input. I'll build everything, etc..
Proposal
I want a basic service firewall so I can stop dealing with iptables/firewalld on the docker host system.
So, my "proposal" is: I wanted a way to set ACL on frontends, via service/container labels.
Example 1
A simple ACL to ensure a service can be accessed only from 1.1.1.1:
labels:
- com.byjg.easyhaproxy.definitions=service
- com.byjg.easyhaproxy.mode.service=tcp
- com.byjg.easyhaproxy.port.service=443
- com.byjg.easyhaproxy.host.service=dns.service.name
# ACL here
- com.byjg.easyhaproxy.acl-name.0.service=service-fw
- com.byjg.easyhaproxy.acl-value.0.service="src 1.1.1.1"
It would render the following config block:
frontend service_in_443_1
bind *:443
mode tcp
acl service-fw src 1.1.1.1
tcp-request connection reject if !service-fw
default_backend my_backend_server
Do you think this is over-complicating it?
Example 2
Here is another example — I have an internal API server, I want to ensure that requests originate from 10.0.1.0/24 or 10.0.2.2 and each request must start with /api/v2:
labels:
- com.byjg.easyhaproxy.definitions=web
- com.byjg.easyhaproxy.port.web=80
- com.byjg.easyhaproxy.host.web=dns
# ACL here
- com.byjg.easyhaproxy.acl-name.0.web=service-fw
- com.byjg.easyhaproxy.acl-value.0.web="src 10.0.1.0/24 10.0.2.2"
- com.byjg.easyhaproxy.acl-name.1.web=service-fw
- com.byjg.easyhaproxy.acl-value.1.web="path_beg -i /api/v2"
It would render to:
frontend http_in_80_1
bind *:80
mode http
# same ACL name, I think combines them — both must be true
acl service-fw src 10.0.1.0/24 10.0.2.2
acl service-fw path_beg -i /api/v2
http-request deny if !service-sw
acl is_rule_dns_1_1 hdr(host) -i dns
acl is_rule_dns_1_2 hdr(host) -i dns:80
use_backend srv_dns_80_1 if is_rule_dns_1_1 OR is_rule_dns_1_2
Different acl-names would render another http-request deny if statement.
Thoughts?
Metadata
Metadata
Assignees
Labels
No labels