51ea1fc802
* Migration 0012: firewall_zones (id, name UNIQUE, description, builtin),
Seed wan/lan/dmz/mgmt/cluster als builtin. CHECK-Constraints auf
network_interfaces.role + firewall_rules.{src,dst}_zone +
firewall_nat_rules.{in,out}_zone gedroppt — Validation lebt jetzt
app-side (Handler prüft Existenz in firewall_zones).
* Backend: firewall.ZonesRepo (CRUD + Exists + References-Lookup),
/api/v1/firewall/zones, builtin geschützt (Name nicht änderbar,
Delete blockiert), Rename eines Custom-Zone aktuell ohne Cascade
(Handler-Sorge bei Rules/NAT/Networks).
* Handler-Validation in CreateRule/UpdateRule/CreateNAT/UpdateNAT +
NetworksHandler: Zone-Existence-Check pro Mutation, 400 bei Tippfehler.
* Frontend: Firewall-Tab "Zonen" (CRUD mit builtin-Schutz). Networks-
Form lädt Rollen aus /firewall/zones (statt hardcoded Liste); Rules-
und NAT-Forms ziehen die Zone-Auswahl ebenfalls aus der API.
* Domain-Form bekommt Primary-Backend-Picker (Field war im Modell,
fehlte im UI). Backends-Tabelle zeigt umgekehrt welche Domains
darauf zeigen — bidirektionale Sicht ohne Schemaänderung.
* HAProxy-Renderer: safeID-FuncMap escaped Server-Namen mit Whitespace
("Control Master 1" → "Control_Master_1"). Vorher ist haproxy beim
Reload an Spaces im Backend-Namen kaputt gegangen.
* Version 1.0.3 → 1.0.6.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
75 lines
2.8 KiB
Smarty
75 lines
2.8 KiB
Smarty
# Generated by edgeguard-api — DO NOT EDIT.
|
|
# Source: internal/haproxy/haproxy.go (template: haproxy.cfg.tpl).
|
|
# Re-generate via `edgeguard-ctl render-config`.
|
|
|
|
global
|
|
log /dev/log local0 info
|
|
log /dev/log local1 notice
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
defaults
|
|
log global
|
|
mode http
|
|
option httplog
|
|
option dontlognull
|
|
option forwardfor
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
timeout http-request 10s
|
|
|
|
# ── Public :80 ─────────────────────────────────────────────────────────
|
|
# ACME-01 challenges proxy to edgeguard-api which serves the webroot.
|
|
# Everything else redirects to HTTPS.
|
|
frontend public_http
|
|
bind :80
|
|
|
|
acl is_acme path_beg /.well-known/acme-challenge/
|
|
|
|
# Redirect to HTTPS first (skipped for ACME paths) — must come
|
|
# before use_backend so HAProxy doesn't warn about ordering.
|
|
http-request redirect scheme https code 301 unless is_acme
|
|
|
|
use_backend api_backend if is_acme
|
|
|
|
# ── Public :443 ────────────────────────────────────────────────────────
|
|
# TLS termination. Reads certs from /etc/edgeguard/tls/ — postinst
|
|
# seeds a self-signed _default.pem so HAProxy starts before certbot
|
|
# has issued anything.
|
|
frontend public_https
|
|
bind :443 ssl crt /etc/edgeguard/tls/ alpn h2,http/1.1
|
|
|
|
http-response set-header Strict-Transport-Security "max-age=31536000"
|
|
|
|
{{- range $d := .Domains}}
|
|
{{- range $r := $d.Routes}}
|
|
use_backend eg_backend_{{$r.BackendID}} if { hdr(host) -i {{$d.Name}} } { path_beg {{$r.PathPrefix}} }
|
|
{{- end}}
|
|
{{- end}}
|
|
|
|
default_backend api_backend
|
|
|
|
# ── Internal stats ─────────────────────────────────────────────────────
|
|
frontend internal_stats
|
|
bind 127.0.0.1:8404
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats admin if { src 127.0.0.1 }
|
|
|
|
# ── Backends ───────────────────────────────────────────────────────────
|
|
|
|
# edgeguard-api itself: management UI, REST API, ACME webroot.
|
|
backend api_backend
|
|
server api1 127.0.0.1:9443 check
|
|
|
|
{{- range .Backends}}
|
|
|
|
backend eg_backend_{{.ID}}
|
|
server {{.Name | safeID}} {{.Address}}:{{.Port}}{{if .HealthCheckPath}} check inter 5s{{end}}
|
|
{{- end}}
|