net-ops/lb-common/overlay/opt/frontend/config/common/haproxy_eidas.j2

{% extends 'common/haproxy_base.j2' %}

{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}

{% block frontend %}
frontend {{ site_name }}
    {{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}


    timeout http-request 10s
    timeout http-keep-alive 4s
    option forwardfor
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Proxy-Authenticate "{{ eidas_proxy_auth }}"

    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}

    {{ csp(["default-src "               + ["'self'"]|join(' '),
	    "font-src "                  + ["'self'", "fonts.googleapis.com", "fonts.gstatic.com"]|join(' '),
	    "script-src "                + ["'self'", "'unsafe-inline'", "swedenconnect.status.io", "api.status.io", "www.google-analytics.com", "ajax.googleapis.com"]|join(' '),
	    "connect-src "               + ["'self'","api.status.io"]|join(' '),
	    "img-src "                   + ["*", "data:", "'self'"]|join(' '),
	    "style-src "                 + ["'self'", "'unsafe-inline'", "fonts.googleapis.com"]|join(' '),
	    ]) }}

    {{ acme_challenge(letsencrypt_server) }}

    {% block usebackend %}
    use_backend {{ site_name }}__default
    {% endblock usebackend %}
{% endblock frontend %}
move tug-lb-1.sunet.se to net-ops 2025-02-25 17:51:13 +01:00			`{% extends 'common/haproxy_base.j2' %}`

			`{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}`

			`{% block frontend %}`
			`frontend {{ site_name }}`
			`{{ bind_ip_tls(bind_ips, 443, tls_certificate_bundle) }}`


			`timeout http-request 10s`
			`timeout http-keep-alive 4s`
			`option forwardfor`
			`http-request set-header X-Forwarded-Proto https`
			`http-request set-header X-Proxy-Authenticate "{{ eidas_proxy_auth }}"`

			`{{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}`

			`{{ csp(["default-src " + ["'self'"]\|join(' '),`
			`"font-src " + ["'self'", "fonts.googleapis.com", "fonts.gstatic.com"]\|join(' '),`
			`"script-src " + ["'self'", "'unsafe-inline'", "swedenconnect.status.io", "api.status.io", "www.google-analytics.com", "ajax.googleapis.com"]\|join(' '),`
			`"connect-src " + ["'self'","api.status.io"]\|join(' '),`
			`"img-src " + ["*", "data:", "'self'"]\|join(' '),`
			`"style-src " + ["'self'", "'unsafe-inline'", "fonts.googleapis.com"]\|join(' '),`
			`]) }}`

			`{{ acme_challenge(letsencrypt_server) }}`

			`{% block usebackend %}`
			`use_backend {{ site_name }}__default`
			`{% endblock usebackend %}`
			`{% endblock frontend %}`