From 5fe2f1f535d8b9b69b54f0e7a542af1cc3f51bb7 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 2 Feb 2022 16:54:32 +0100
Subject: [PATCH] haproxy.cfg: add support for tcp services.

---
 templates/haproxy.cfg.j2 | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
index 571948b..8c83917 100644
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@@ -106,7 +106,7 @@ frontend http
 
 {% if docker_swarm_expose_api_via_haproxy %}
 frontend docker_ft
-{% if docker_swarm_haproxy_plain_http_api: %}
+{% if docker_swarm_haproxy_plain_http_api %}
     bind :{{ docker_swarm_haproxy_swarm_port }} {% if docker_swarm_haproxy_installation_type == 'global' %}accept-proxy{% endif %}
 {% else %}
     bind :{{ docker_swarm_haproxy_swarm_port }} ssl crt {{ haproxy_cert_dir }} alpn h2,http/1.1 {% if docker_swarm_haproxy_installation_type == 'global' %}accept-proxy{% endif %}
@@ -115,9 +115,11 @@ frontend docker_ft
     mode http
     acl swarm_api hdr_dom(host) -i {{ docker_swarm_expose_api_hostname }}
 
-#    acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
+    acl swarm_api_allowed_nets src {% for net in docker_swarm_api_networks_acl %} {{ net }}{% endfor %}
 
-#    http-request deny if swarm_api !swarm_api_allowed_nets
+    http-request deny if swarm_api !swarm_api_allowed_nets
+
+#   The following variables must be set in the haproxy docker file
 #    http-request deny unless METH_GET || { env(POST) -m bool }
 #    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
 #    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
@@ -155,6 +157,20 @@ frontend shinyproxy_metrics
     default_backend shinyproxy_metrics_bck
 {% endif %}
 
+{% for srv in docker_swarm_haproxy_additional_services %}
+{% if srv.mode is defined and srv.mode == 'tcp' %}
+frontend {{ srv.acl_name }}
+    bind: {{ srv.service_port }}
+    mode {{ srv.mode }}
+{% if srv.allowed_networks is defined %}
+    acl {{ srv.acl_name }}_nets src {% for net in srv.allowed_networks %} {{ net }}{% endfor %}
+
+    tcp-request connection reject if {{ srv.acl_name }} !{{ srv.acl_name }}_nets
+{% endif %}
+    use_backend {{ srv.acl_name }}_bck
+
+{% endif %}
+{% endfor %}
 #
 # Backends
 #
@@ -183,6 +199,12 @@ backend portainer_bck
 
 {% for srv in docker_swarm_haproxy_additional_services %}
 backend {{ srv.acl_name }}_bck
+{% if srv.mode is defined and srv.mode == 'tcp' %}
+    mode tcp
+    balance {{ srv.balance_type | default('roundrobin') }}
+    server-template {{ srv.service_name }}- {{ srv.service_replica_num }} {{ srv.stack_name }}_{{ srv.service_name }}:{{ srv.service_port }} resolvers docker init-addr libc,none
+
+{% else %}
     mode http
     option httpchk
     balance {{ srv.balance_type | default('roundrobin') }}
@@ -201,3 +223,5 @@ backend {{ srv.acl_name }}_bck
 {% endif %}
     server-template {{ srv.service_name }}- {{ srv.service_replica_num }} {{ srv.stack_name }}_{{ srv.service_name }}:{{ srv.service_port }} {{ srv.backend_options | default('') }} {% if srv.http_check_enabled is defined and srv.http_check_enabled %}check {{ srv.check_options | default('') }}{% endif %} resolvers docker init-addr libc,none
 {% endfor %}
+
+{% endif %}