jenkins-docker/server/haproxy/haproxy.cfg - gerrit-ci-scripts - Git at Google

 global
     log stdout format raw local0
     lua-prepend-path /usr/local/etc/haproxy/lua/?.lua
     lua-load /usr/local/etc/haproxy/lua/auth-request.lua

 defaults
     log     global
     timeout connect 5000
     timeout client  50000
     timeout server  50000
     errorfile 403 /usr/local/etc/haproxy/errors/403.http

 frontend http_front
     bind *:8080
     bind *:8443 ssl crt /usr/local/etc/haproxy/ssl/certs/gerrit-ci.pem
     redirect scheme https code 301 if !{ ssl_fc }
     mode http
     option httplog
     log-format "${HAPROXY_HTTP_LOG_FMT} auth_response_code:%{+Q}[var(txn.auth_response_code)] auth_response_successful:%{+Q}[var(txn.auth_response_successful)]"

     acl is_artifact_download path_reg -i /artifact/.*(json|jar|war|version)$
     acl is_plugin_manager_list path_reg -i /(job|view)/[a-z0-9\-\./]+/api/json$
     acl is_log_browsing path_reg -i /(console|consoleText|consoleFull)$
     acl is_static_asset path_end .js || path_end .css || path_end .svg || path_end .ico
     acl is_get method GET
     acl is_login_flow path_reg -i /(securityRealm/commenceLogin|securityRealm/finishLogin|login/oauth/authorize)
     acl is_envinject_plugin_path path_reg -i /injectedEnvVars/
     acl is_theme path_beg /css/
     acl is_plugin_manager path_beg /plugin-manager/

     # Deny access to injected variables in any case
     http-request deny if is_envinject_plugin_path

     # Jenkins CSS theme and static assets
     use_backend http_static_back if is_theme || is_plugin_manager

     # Always allow the request if no authentication is needed (this is set during development)
     http-request allow if { env(USE_SECURITY) -i -m str false }
     http-request allow if is_static_asset || is_theme || is_plugin_manager

     # Allow any requests if the user is authenticated.
     # We check whether the use is authenticated by performing an HTTP request to the /me/api/json endpoint
     # of Jenkins, which will return 200 OK, if the user is logged in.
     http-request lua.auth-intercept http_back /me/api/json GET cookie cookie -
     http-request allow if { var(txn.auth_response_successful) -m bool }

     # Otherwise, only allow GET requests that are either downloading artifacts, browsing logs, listing plugins or logins
     http-request deny if !is_get
     http-request deny if !is_log_browsing !is_artifact_download !is_plugin_manager_list !is_login_flow !is_theme !is_plugin_manager


     default_backend http_back

 backend http_back
     mode http
     server jenkins jenkins:8080 check

 backend http_static_back
     mode http
     server nginx nginx:80 check
	global
	log stdout format raw local0
	lua-prepend-path /usr/local/etc/haproxy/lua/?.lua
	lua-load /usr/local/etc/haproxy/lua/auth-request.lua

	defaults
	log global
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	errorfile 403 /usr/local/etc/haproxy/errors/403.http

	frontend http_front
	bind *:8080
	bind *:8443 ssl crt /usr/local/etc/haproxy/ssl/certs/gerrit-ci.pem
	redirect scheme https code 301 if !{ ssl_fc }
	mode http
	option httplog
	log-format "${HAPROXY_HTTP_LOG_FMT} auth_response_code:%{+Q}[var(txn.auth_response_code)] auth_response_successful:%{+Q}[var(txn.auth_response_successful)]"

	acl is_artifact_download path_reg -i /artifact/.*(json\|jar\|war\|version)$
	acl is_plugin_manager_list path_reg -i /(job\|view)/[a-z0-9\-\./]+/api/json$
	acl is_log_browsing path_reg -i /(console\|consoleText\|consoleFull)$
	acl is_static_asset path_end .js \|\| path_end .css \|\| path_end .svg \|\| path_end .ico
	acl is_get method GET
	acl is_login_flow path_reg -i /(securityRealm/commenceLogin\|securityRealm/finishLogin\|login/oauth/authorize)
	acl is_envinject_plugin_path path_reg -i /injectedEnvVars/
	acl is_theme path_beg /css/
	acl is_plugin_manager path_beg /plugin-manager/

	# Deny access to injected variables in any case
	http-request deny if is_envinject_plugin_path

	# Jenkins CSS theme and static assets
	use_backend http_static_back if is_theme \|\| is_plugin_manager

	# Always allow the request if no authentication is needed (this is set during development)
	http-request allow if { env(USE_SECURITY) -i -m str false }
	http-request allow if is_static_asset \|\| is_theme \|\| is_plugin_manager

	# Allow any requests if the user is authenticated.
	# We check whether the use is authenticated by performing an HTTP request to the /me/api/json endpoint
	# of Jenkins, which will return 200 OK, if the user is logged in.
	http-request lua.auth-intercept http_back /me/api/json GET cookie cookie -
	http-request allow if { var(txn.auth_response_successful) -m bool }

	# Otherwise, only allow GET requests that are either downloading artifacts, browsing logs, listing plugins or logins
	http-request deny if !is_get
	http-request deny if !is_log_browsing !is_artifact_download !is_plugin_manager_list !is_login_flow !is_theme !is_plugin_manager


	default_backend http_back

	backend http_back
	mode http
	server jenkins jenkins:8080 check

	backend http_static_back
	mode http
	server nginx nginx:80 check