updated examples, removed redundant newlines, enable ssl-capture-buff…

…er only if needed

ExampleAcme.md

@@ -7,7 +7,6 @@ haproxy:
   acme:
     enable: true
     email: '[email protected]'
-    ca: 'letsencrypt-test'
 
   frontends:
     fe_web:
@@ -28,7 +27,7 @@ haproxy:
         - 'srv-2 192.168.10.12:80'
 
     be_fallback:
-      lines: 'http-request redirect code 301 location https://github.com/ansibleguy'
+      lines: 'http-request redirect code 302 location https://github.com/ansibleguy'
 ```
 
 
@@ -37,6 +36,23 @@ haproxy:
 ## Result
 
 ```bash
+
+root@test-ag-haproxy-acme:/# ls -l /etc/dehydrated/
+> -rw-r----- 1 root haproxy-acme 478 May  3 15:44 config
+> -rw-r----- 1 root haproxy-acme 898 May  4 13:29 domains.txt
+
+root@test-ag-haproxy-acme:/# cat /etc/dehydrated/domains.txt 
+> # Ansible managed: Do NOT edit this file manually!
+> # ansibleguy.infra_haproxy
+>
+> # FRONTEND: fe_web
+> ## BACKEND: be_test
+> app.test.ansibleguy.net > fe_web-be_test
+
+root@test-ag-haproxy-acme:/# ls -l /etc/ssl/haproxy_acme/certs
+> -rw------- 1 haproxy-acme haproxy-acme 3673 May  3 18:31 fe_web-be_test.pem
+> -rw-r----- 1 haproxy-acme haproxy      2872 May  3 15:05 placeholder.pem
+
 root@test-ag-haproxy-acme:/# cat /etc/haproxy/haproxy.cfg 
 > # Ansible managed: Do NOT edit this file manually!
 > # ansibleguy.infra_haproxy
@@ -57,7 +73,6 @@ root@test-ag-haproxy-acme:/# cat /etc/haproxy/haproxy.cfg
 >     ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 >     ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 >     ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
->     tune.ssl.capture-buffer-size 96
 >
 > defaults
 >     log global
@@ -120,15 +135,15 @@ root@test-ag-haproxy-acme:/# cat /etc/haproxy/conf.d/backend.cfg
 >     mode http
 >     balance leastconn
 > 
+>
 >     server srv-1 192.168.10.11:80 check
 >     server srv-2 192.168.10.12:80 check
 > 
 > backend be_fallback
 >     mode http
 >     balance leastconn
 > 
->     # SECTION: default
->     http-request redirect code 301 location https://github.com/ansibleguy
+>     http-request redirect code 302 location https://github.com/ansibleguy
 > 
 > backend be_haproxy_acme
 >     server haproxy_acme 127.0.0.1:8405 check

ExampleGeoIP.md

@@ -37,7 +37,7 @@ haproxy:
       servers: 'srv2 192.168.10.12:80'
 
     be_fallback:
-      lines: 'http-request redirect code 301 location https://github.com/ansibleguy'
+      lines: 'http-request redirect code 302 location https://github.com/ansibleguy'
 ```
 
 ----
@@ -46,7 +46,11 @@ haproxy:
 
 ```bash
 root@test-ag-haproxy-geoip:/# journalctl -u haproxy.service -f
-> May 04 18:58:57 test-ag-haproxy-geoip haproxy[84265]: ::ffff:140.82.115.47:33494 [04/May/2024:18:58:57.790] fe_web~ be_test2/srv2 0/0/26/26/52 200 1778 - - ---- 2/2/0/0/0 0/0 {US|36459|github-camo (4b76e509)} "GET /infra_haproxy.pylint.svg HTTP/1.1
+> May 04 18:58:57 test-ag-haproxy-geoip haproxy[84265]: ::ffff:140.82.115.47:33494 [04/May/2024:18:58:57.790] fe_web~ be_test2/srv2 0/0/26/26/52 200 1778 - - ---- 2/2/0/0/0 0/0 {US|36459|github-camo (4b76e509)} "GET /infra_haproxy.pylint.svg HTTP/1.1"
+
+root@test-ag-haproxy-geoip:/#ls -l /var/local/lib/geoip/
+> -rw-r--r-- 1 haproxy-geoip haproxy-geoip 11813924 May  2 18:24 asn.mmdb
+> -rw-r--r-- 1 haproxy-geoip haproxy-geoip 43167362 May  2 18:24 country.mmdb
 
 root@test-ag-haproxy-geoip:/# cat /etc/haproxy/haproxy.cfg 
 > # Ansible managed: Do NOT edit this file manually!
@@ -57,6 +61,7 @@ root@test-ag-haproxy-geoip:/# cat /etc/haproxy/haproxy.cfg
 >     user haproxy
 >     group haproxy
 > 
+>     lua-load /etc/haproxy/lua/geoip.lua
 > 
 >     log /dev/log    local0
 >     log /dev/log    local1 notice
@@ -68,7 +73,6 @@ root@test-ag-haproxy-geoip:/# cat /etc/haproxy/haproxy.cfg
 >     ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 >     ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 >     ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
->     tune.ssl.capture-buffer-size 96
 >
 > defaults
 >     log global
@@ -166,8 +170,7 @@ root@test-ag-haproxy-geoip:/# cat /etc/haproxy/conf.d/backend.cfg
 >     mode http
 >     balance leastconn
 > 
->     # SECTION: default
->     http-request redirect code 301 location https://github.com/ansibleguy
+>     http-request redirect code 302 location https://github.com/ansibleguy
 > 
 > backend be_haproxy_geoip
 >     server haproxy_geoip 127.0.0.1:8406 check
@@ -219,4 +222,3 @@ root@test-ag-haproxy-geoip:/# systemctl status haproxy-geoip-update.timer
 >     Trigger: Mon 2024-05-06 01:00:00 UTC; 1 day 8h left
 >    Triggers: * haproxy-geoip-update.service
 ```
-

ExampleWAF.md

@@ -1,4 +1,4 @@
-# Basic Example with GeoIP
+# Basic Example with WAF
 
 There are still some basic WAF features to be implemented.
 
@@ -44,7 +44,7 @@ haproxy:
         - 'srv-2 192.168.10.12:80'
 
     be_fallback:
-      lines: 'http-request redirect code 301 location https://github.com/ansibleguy'
+      lines: 'http-request redirect code 302 location https://github.com/ansibleguy'
 ```
 
 ----
@@ -60,7 +60,8 @@ root@test-ag-haproxy-waf:/# cat /etc/haproxy/haproxy.cfg
 >     daemon
 >     user haproxy
 >     group haproxy
-> 
+>
+>     tune.ssl.capture-buffer-size 96
 > 
 >     log /dev/log    local0
 >     log /dev/log    local1 notice
@@ -72,7 +73,6 @@ root@test-ag-haproxy-waf:/# cat /etc/haproxy/haproxy.cfg
 >     ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 >     ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 >     ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
->     tune.ssl.capture-buffer-size 96
 >
 > defaults
 >     log global
@@ -153,8 +153,7 @@ root@test-ag-haproxy-waf:/# cat /etc/haproxy/conf.d/backend.cfg
 >     mode http
 >     balance leastconn
 > 
->     # SECTION: default
->     http-request redirect code 301 location https://github.com/ansibleguy
+>     http-request redirect code 302 location https://github.com/ansibleguy
 >     
 
 root@test-ag-haproxy-waf:/# systemctl status haproxy.service

Fingerprinting.md

@@ -22,3 +22,5 @@ If you enable `security.fingerprint_ssl` you can reference it using the variable
 
 * `var(txn.fingerprint_ssl)` => MD5 hash of JA3 fingerprint
 * `var(txn.fingerprint_ssl_raw)` => raw JA3 fingerprint
+
+To use this kind of fingerprint, you have to enable the `[SSL capture-buffer](https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#3.2-tune.ssl.capture-buffer-size)`. You may want to set it in the globals via `tune.ssl.capture-buffer-size 96`

README.md

@@ -93,7 +93,7 @@ haproxy:
         - 'srv-2 192.168.10.12:80'
 
     be_fallback:
-      lines: 'http-request redirect code 301 location https://github.com/ansibleguy'
+      lines: 'http-request redirect code 302 location https://github.com/ansibleguy'
 ```
 
 ----
@@ -195,7 +195,7 @@ haproxy:
 
     be_fallback:
       lines:
-        default: 'http-request redirect code 301 location https://github.com/ansibleguy'
+        default: 'http-request redirect code 302 location https://github.com/ansibleguy'
 
   # GENERAL
   stats:

defaults/main/1_main.yml

@@ -53,7 +53,6 @@ defaults_haproxy:
     DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
     ssl-default-bind-ciphersuites: 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'
     ssl-default-bind-options: 'ssl-min-ver TLSv1.2 no-tls-tickets'
-    tune.ssl.capture-buffer-size: 96  # needed for ssl finterprinting
 
   defaults:
     log: 'global'

filter_plugins/utils.py

@@ -9,6 +9,7 @@ def filters(self):
             "is_string": self.is_string,
             "is_dict": self.is_dict,
             "safe_key": self.safe_key,
+            "ssl_fingerprint_active": self.ssl_fingerprint_active,
         }
 
     @staticmethod
@@ -30,3 +31,15 @@ def is_dict(data) -> bool:
     @staticmethod
     def safe_key(key: str) -> str:
         return regex_replace('[^0-9a-zA-Z_]+', '', key.replace(' ', '_'))
+
+    @staticmethod
+    def ssl_fingerprint_active(frontends: dict) -> bool:
+        for fe_cnf in frontends.values():
+            try:
+                if fe_cnf['security']['fingerprint_ssl']:
+                    return True
+
+            except KeyError:
+                continue
+
+        return False

molecule/default/converge.yml

@@ -42,7 +42,7 @@
             - 'srv4 192.168.10.12:80'
 
         be_fallback:
-          lines: 'http-request redirect code 301 location https://github.com/ansibleguy'
+          lines: 'http-request redirect code 302 location https://github.com/ansibleguy'
 
   roles:
     - ansibleguy.infra_haproxy
@@ -82,7 +82,7 @@
             - 'srv-2 192.168.10.12:80'
 
         be_fallback:
-          lines: 'http-request redirect code 301 location https://github.com/ansibleguy'
+          lines: 'http-request redirect code 302 location https://github.com/ansibleguy'
 
   roles:
     - ansibleguy.infra_haproxy
@@ -132,7 +132,7 @@
           servers: 'srv2 192.168.10.12:80'
 
         be_fallback:
-          lines: 'http-request redirect code 301 location https://github.com/ansibleguy'
+          lines: 'http-request redirect code 302 location https://github.com/ansibleguy'
 
   pre_tasks:
     - name: Loading GeoIP Token
@@ -193,7 +193,7 @@
             - 'srv-2 192.168.10.12:80'
 
         be_fallback:
-          lines: 'http-request redirect code 301 location https://github.com/ansibleguy'
+          lines: 'http-request redirect code 302 location https://github.com/ansibleguy'
 
   roles:
     - ansibleguy.infra_haproxy

templates/etc/dehydrated/domains.txt.j2

@@ -1,4 +1,5 @@
 # {{ ansible_managed }}
+# ansibleguy.infra_haproxy
 
 {% if HAPROXY_CONFIG.acme.domains | default([]) | ensure_list | length > 0 %}
 {{ HAPROXY_CONFIG.acme.domains | default([]) | ensure_list | join(' ') }} > base

templates/etc/haproxy/conf.d/backend.cfg.j2

@@ -8,53 +8,49 @@ backend {{ name }}
     mode {{ cnf.mode }}
     balance {{ cnf.balance }}
 
-{% if cnf.mode == 'http' %}
-{%   if cnf.check | bool %}
-{%     if cnf.check_http | bool %}
+{%   if cnf.mode == 'http' %}
+{%     if cnf.check | bool %}
+{%       if cnf.check_http | bool %}
     option httpchk
-{%     endif %}
-{%     if cnf.check_uri | default(none, true) is not none %}
+{%       endif %}
+{%       if cnf.check_uri | default(none, true) is not none %}
     http-check send meth {{ cnf.check_method }} uri {{ cnf.check_uri }}
-{%     endif %}
-{%     if cnf.check_expect | default(none, true) is not none %}
+{%       endif %}
+{%       if cnf.check_expect | default(none, true) is not none %}
     http-check expect {{ cnf.check_expect }}
+{%       endif %}
 {%     endif %}
-{%   endif %}
-
-{%   if cnf.sticky | bool %}
+{%     if cnf.sticky | bool %}
     cookie {{ cnf.sticky_http.cookie }} insert indirect nocache
+{%     endif %}
+{%     include "inc/security.j2" %}
 {%   endif %}
-
-{%   include "inc/security.j2" %}
-{% endif %}
-
-{% if cnf.mode == 'tcp' %}
-{%   if cnf.sticky | bool %}
+{%   if cnf.mode == 'tcp' %}
+{%     if cnf.sticky | bool %}
     stick match {{ cnf.sticky_tcp.match }}
     stick-table {{ cnf.sticky_tcp.table }}
-{%   endif %}
-{% endif %}
 
-{%  if cnf.lines | is_dict %}
-{%    for section, lines in cnf.lines.items() %}
+{%     endif %}
+{%   endif %}
+{%   if cnf.lines | is_dict %}
+{%     for section, lines in cnf.lines.items() %}
     # SECTION: {{ section }}
-{%      for line in lines | ensure_list %}
+{%       for line in lines | ensure_list %}
     {{ line }}
-{%      endfor %}
+{%       endfor %}
 
-{%    endfor %}
-{%  else %}
-    # SECTION: default
-{%    for line in cnf.lines | ensure_list %}
+{%     endfor %}
+{%   else %}
+{%     for line in cnf.lines | ensure_list %}
     {{ line }}
-{%    endfor %}
-
-{%  endif %}
+{%     endfor %}
+{%   endif %}
+{%   if cnf.servers | length > 0 %}
 
-{%  for server in cnf.servers | ensure_list %}
+{%     for server in cnf.servers | ensure_list %}
     server {{ server }}{% if cnf.check | bool %} check{% endif %}{% if cnf.ssl | bool %} ssl verify {{ cnf.ssl_verify }}{% endif %}{% if cnf.mode == 'http' and cnf.sticky | bool %} cookie {{ cnf.sticky_http.cookie }}{{ loop.index }}{% endif +%}
-{%  endfor %}
-
+{%     endfor %}
+{%   endif %}
 {% endfor %}
 
 {% if HAPROXY_CONFIG.acme.enable | bool %}

templates/etc/haproxy/conf.d/frontend.cfg.j2

@@ -16,22 +16,22 @@ frontend {{ name }}
 {%   if cnf.mode == 'http' %}
 {%     if cnf.ssl_redirect | bool and 'ssl' in (cnf.bind | join('-')) %}
     http-request redirect scheme https code 301 if !{ ssl_fc } !{ path_beg -i /.well-known/acme-challenge/ }
+
 {%     endif %}
 {%   endif %}
-
 {%   if cnf.geoip.enable | bool %}
 {% include "inc/geoip.j2" %}
-{%   endif %}
 
+{%   endif %}
 {% if cnf.mode == 'http' %}
 {%   include "inc/security.j2" %}
 {%   include "inc/security_only_fe.j2" %}
-{% endif %}
 
+{% endif %}
 {%   if cnf.log.user_agent | bool %}
     http-request capture req.fhdr(User-Agent) len 200
-{%   endif %}
 
+{%   endif %}
 {%  if cnf.lines | is_dict %}
 {%    for section, lines in cnf.lines.items() %}
     # SECTION: {{ section }}
@@ -41,17 +41,15 @@ frontend {{ name }}
 
 {%    endfor %}
 {%  else %}
-    # SECTION: default
 {%    for line in cnf.lines | ensure_list %}
     {{ line }}
 {%    endfor %}
 
 {%  endif %}
-
 {%   if cnf.acme.enable | bool %}
     use_backend be_haproxy_acme if { path_beg -i /.well-known/acme-challenge/ }
-{%  endif %}
 
+{%  endif %}
 {%  for be_name, be_cnf_user in cnf.routes.items() %}
 {%    set be_cnf = defaults_frontend_route | combine(be_cnf_user, recursive=true) %}
 

templates/etc/haproxy/haproxy.cfg.j2

@@ -9,6 +9,9 @@ global
 {% if HAPROXY_CONFIG.geoip.enable | bool %}
     lua-load {{ HAPROXY_HC.path.lua }}/geoip.lua
 {% endif %}
+{% if HAPROXY_CONFIG.frontends | ssl_fingerprint_active and 'tune.ssl.capture-buffer-size' not in HAPROXY_CONFIG.global %}
+    tune.ssl.capture-buffer-size 96
+{% endif %}
 
 {% for key, value in HAPROXY_CONFIG.global.items() %}
 {%   if value | default(none, true) is none %}