aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSuresh Charan <suresh.charan@amdocs.com>2022-01-31 06:25:37 -0500
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2022-02-23 07:53:09 +0000
commitc1aa75883eda55ab5e68cc60ba7d68ec27d1d126 (patch)
tree45a58012a9b2a48ad4d48f66e2c09278a2e53a16
parentadbc2b7113e015d2ed6070a76f53ed1c6c0ee4b3 (diff)
[AAI] Request blocking enhancement for AAI
Enable configuration of HAProxy ACL to block incoming requests Issue-ID: OOM-2920 Signed-off-by: Suresh Charan <suresh.charan@amdocs.com> Change-Id: Icacaa7642f018b76b6c738b325c3d2a12702495e
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg9
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy.cfg9
-rw-r--r--kubernetes/aai/values.yaml6
3 files changed, 24 insertions, 0 deletions
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
index 9fa6d2ee9b..6e7acef17f 100644
--- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
@@ -88,6 +88,15 @@ frontend IST_8443
http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
+#######################################
+## Request blocking configuration ###
+#######################################
+ {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
+ {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
+ {{ $custom_config }}
+ {{- end }}
+ {{- end }}
+
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Port:\ 8443
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
index 1db4addb5a..1accff9935 100644
--- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
@@ -119,6 +119,15 @@ frontend IST_8443
http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
+#######################################
+## Request blocking configuration ###
+#######################################
+ {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
+ {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
+ {{ $custom_config }}
+ {{- end }}
+ {{- end }}
+
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Port:\ 8443
{{- end }}
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index 42b0fa622a..ff402dd5da 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -349,6 +349,12 @@ nodeSelector: {}
affinity: {}
+# HAProxy configuration to block HTTP requests to AAI based on configurable URL patterns
+haproxy:
+ requestBlocking:
+ enabled: false
+ customConfigs: []
+
# probe configuration parameters
liveness:
initialDelaySeconds: 10