jenkins-docker/server/haproxy/haproxy.cfg - gerrit-ci-scripts - Git at Google

 global
     log stdout format raw local0
     lua-prepend-path /usr/local/etc/haproxy/lua/?.lua
     lua-load /usr/local/etc/haproxy/lua/auth-request.lua

 defaults
     log     global
     timeout connect 5000
     timeout client  50000
     timeout server  50000
     errorfile 403 /usr/local/etc/haproxy/errors/403.http

 frontend http_front
     bind *:8080
     bind *:8443 ssl crt /usr/local/etc/haproxy/ssl/certs/gerrit-ci.pem
     mode http
     option httplog
     log-format "${HAPROXY_HTTP_LOG_FMT} auth_response_code:%{+Q}[var(txn.auth_response_code)] auth_response_successful:%{+Q}[var(txn.auth_response_successful)]"

     acl is_artifact_download path_reg -i /artifact/.*(json|jar|war|version)$
     acl is_plugin_manager_list path_reg -i /view/.*/api/json$
     acl is_log_browsing path_reg -i /(console|consoleText|consoleFull)$
     acl is_static_asset path_end .js || path_end .css || path_end .svg || path_end .ico
     acl is_get method GET
     acl is_login_flow path_reg -i /(securityRealm/commenceLogin|securityRealm/finishLogin|login/oauth/authorize)
     acl is_envinject_plugin_path path_reg -i /injectedEnvVars/

     # Deny access to injected variables in any case
     http-request deny if is_envinject_plugin_path

     # Always allow the request if no authentication is needed (this is set during development)
     http-request allow if { env(USE_SECURITY) -i -m str false }
     http-request allow if is_static_asset

     # Allow any requests if the user is authenticated.
     # We check whether the use is authenticated by performing an HTTP request to the /me/api/json endpoint
     # of Jenkins, which will return 200 OK, if the user is logged in.
     http-request lua.auth-intercept http_back /me/api/json GET cookie cookie -
     http-request allow if { var(txn.auth_response_successful) -m bool }

     # Otherwise, only allow GET requests that are either downloading artifacts, browsing logs, listing plugins or logins
     http-request deny if !is_get
     http-request deny if !is_log_browsing !is_artifact_download !is_plugin_manager_list !is_login_flow

     default_backend http_back

 backend http_back
     mode http
     server jenkins jenkins:8080 check
	global
	log stdout format raw local0
	lua-prepend-path /usr/local/etc/haproxy/lua/?.lua
	lua-load /usr/local/etc/haproxy/lua/auth-request.lua

	defaults
	log global
	timeout connect 5000
	timeout client 50000
	timeout server 50000
	errorfile 403 /usr/local/etc/haproxy/errors/403.http

	frontend http_front
	bind *:8080
	bind *:8443 ssl crt /usr/local/etc/haproxy/ssl/certs/gerrit-ci.pem
	mode http
	option httplog
	log-format "${HAPROXY_HTTP_LOG_FMT} auth_response_code:%{+Q}[var(txn.auth_response_code)] auth_response_successful:%{+Q}[var(txn.auth_response_successful)]"

	acl is_artifact_download path_reg -i /artifact/.*(json\|jar\|war\|version)$
	acl is_plugin_manager_list path_reg -i /view/.*/api/json$
	acl is_log_browsing path_reg -i /(console\|consoleText\|consoleFull)$
	acl is_static_asset path_end .js \|\| path_end .css \|\| path_end .svg \|\| path_end .ico
	acl is_get method GET
	acl is_login_flow path_reg -i /(securityRealm/commenceLogin\|securityRealm/finishLogin\|login/oauth/authorize)
	acl is_envinject_plugin_path path_reg -i /injectedEnvVars/

	# Deny access to injected variables in any case
	http-request deny if is_envinject_plugin_path

	# Always allow the request if no authentication is needed (this is set during development)
	http-request allow if { env(USE_SECURITY) -i -m str false }
	http-request allow if is_static_asset

	# Allow any requests if the user is authenticated.
	# We check whether the use is authenticated by performing an HTTP request to the /me/api/json endpoint
	# of Jenkins, which will return 200 OK, if the user is logged in.
	http-request lua.auth-intercept http_back /me/api/json GET cookie cookie -
	http-request allow if { var(txn.auth_response_successful) -m bool }

	# Otherwise, only allow GET requests that are either downloading artifacts, browsing logs, listing plugins or logins
	http-request deny if !is_get
	http-request deny if !is_log_browsing !is_artifact_download !is_plugin_manager_list !is_login_flow

	default_backend http_back

	backend http_back
	mode http
	server jenkins jenkins:8080 check