blob: 2d0cc4e1eb7b7a96d3764778842f5544b87bd836 [file] [log] [blame]
global
log stdout format raw local0
lua-prepend-path /usr/local/etc/haproxy/lua/?.lua
lua-load /usr/local/etc/haproxy/lua/auth-request.lua
defaults
log global
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 403 /usr/local/etc/haproxy/errors/403.http
frontend http_front
bind *:8080
bind *:8443 ssl crt /usr/local/etc/haproxy/ssl/certs/gerrit-ci.pem
mode http
option httplog
log-format "${HAPROXY_HTTP_LOG_FMT} auth_response_code:%{+Q}[var(txn.auth_response_code)] auth_response_successful:%{+Q}[var(txn.auth_response_successful)]"
acl is_artifact_download path_reg -i /artifact/.*(json|jar|war|version)$
acl is_plugin_manager_list path_reg -i /view/.*/api/json$
acl is_log_browsing path_reg -i /(console|consoleText|consoleFull)$
acl is_static_asset path_end .js || path_end .css || path_end .svg || path_end .ico
acl is_get method GET
acl is_login_flow path_reg -i /(securityRealm/commenceLogin|securityRealm/finishLogin|login/oauth/authorize)
acl is_envinject_plugin_path path_reg -i /injectedEnvVars/
# Deny access to injected variables in any case
http-request deny if is_envinject_plugin_path
# Always allow the request if no authentication is needed (this is set during development)
http-request allow if { env(USE_SECURITY) -i -m str false }
http-request allow if is_static_asset
# Allow any requests if the user is authenticated.
# We check whether the use is authenticated by performing an HTTP request to the /me/api/json endpoint
# of Jenkins, which will return 200 OK, if the user is logged in.
http-request lua.auth-intercept http_back /me/api/json GET cookie cookie -
http-request allow if { var(txn.auth_response_successful) -m bool }
# Otherwise, only allow GET requests that are either downloading artifacts, browsing logs, listing plugins or logins
http-request deny if !is_get
http-request deny if !is_log_browsing !is_artifact_download !is_plugin_manager_list !is_login_flow
default_backend http_back
backend http_back
mode http
server jenkins jenkins:8080 check