From 0153391a4b02f6140da024839a5dda414305bce9 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 26 Jan 2024 20:51:48 +0200
Subject: [PATCH] Router: Block private services at the HAProxy level.

HAProxy is used to inspect the SNI and route to the correct backend
without needing the SSL certificates and keys. Because it opens a new
TCP connection, the source IP at the other side is always the router's
internal IP so we can't filter there based on the source IP.
---
 Ansible/roles/router/files/haproxy.cfg | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/Ansible/roles/router/files/haproxy.cfg b/Ansible/roles/router/files/haproxy.cfg
index 1368fd4..34e85fe 100644
--- a/Ansible/roles/router/files/haproxy.cfg
+++ b/Ansible/roles/router/files/haproxy.cfg
@@ -27,6 +27,16 @@ frontend http
         acl kodi hdr(host) -i kodi.shore.co.il
         acl kodi hdr(host) -i library.shore.co.il
         acl kodi hdr(host) -i transmission.shore.co.il
+        acl lam hdr(host) -i lam.shore.co.il
+        acl auth hdr(host) -i auth.shore.co.il
+        acl private_ip src 127.0.0.1/8
+        acl private_ip src 10.0.0.0/8
+        acl private_ip src 192.168.0.0/16
+        acl private_ip src 172.16.0.0/12
+        acl shore_ip src 62.219.131.121
+        acl shore_ip src 163.172.74.36
+        http-request deny if lam !private_ip
+        http-request deny if auth !shore_ip !private_ip
         use_backend kodi_http if kodi
         default_backend host01_http
 
@@ -35,11 +45,22 @@ frontend https
         mode tcp
         option tcplog
         tcp-request inspect-delay 5s
-        tcp-request content accept if { req_ssl_hello_type 1 }
         acl kodi req_ssl_sni -i jellyfin.shore.co.il
         acl kodi req_ssl_sni -i kodi.shore.co.il
         acl kodi req_ssl_sni -i library.shore.co.il
         acl kodi req_ssl_sni -i transmission.shore.co.il
+        acl lam req_ssl_sni -i lam.shore.co.il
+        acl auth req_ssl_sni -i auth.shore.co.il
+        acl private_ip src 127.0.0.1/8
+        acl private_ip src 10.0.0.0/8
+        acl private_ip src 192.168.0.0/16
+        acl private_ip src 172.16.0.0/12
+        acl private_ip src 62.219.131.121
+        acl shore_ip src 62.219.131.121
+        acl shore_ip src 163.172.74.36
+        tcp-request content reject if lam !private_ip
+        tcp-request content reject if auth !shore_ip !private_ip
+        tcp-request content accept if { req_ssl_hello_type 1 }
         use_backend kodi_https if kodi
         default_backend host01_https
 
-- 
GitLab