0

I have the below config that I need to add to the HA Proxy Ingress controller on my k8s.

acl metrics path -i /metrics
use_backend httpback-default-backend if metrics

So basically what I want is that for all Ingress hosts (URLs) being accessed using the controller, if the path /metrics is accessed, the request needs to be routed to the Ingress default backend and the user should get a 404 error.

So in my standard HA Proxy deployment I have the following configMaps

k get cm
NAME                                DATA   AGE
haproxy-configmap                   8      50d
haproxy-configmap-tcpservice        1      50d
haproxy-ingress                     0      50d
ingress-controller-leader-haproxy   0      50d

And Ive added my config to the haproxy-configmap configMap in the config-frontend section

apiVersion: v1
data:
  config-frontend: |
    capture request header Host len 32
    capture request header X-Request-ID len 64
    capture request header User-Agent len 200
    acl metrics path -i /metrics
    use_backend httpback-default-backend if metrics

Now I expect that /metrics endpoint should lead me to a 404 error but seems like I can still access it.

What am I missing here ?

Joao Morais
  • 1,885
  • 13
  • 20
Jason Stanley
  • 386
  • 1
  • 3
  • 20
  • do you restarted the deployment? – c4f4t0r Aug 15 '19 at 21:53
  • @c4f4t0r no i do not. any changes in the configMap should be automatically picked up. – Jason Stanley Aug 15 '19 at 22:43
  • if you deployed haproxy using helm yes, otherwise by default not – c4f4t0r Aug 15 '19 at 23:30
  • Does problem still exist? – aga Aug 21 '19 at 06:33
  • What if you create an ingress object with a whitelist on `/metrics`? Check if the configmap is properly configured as a command-line option and the namespace/name match. – Joao Morais Oct 02 '19 at 01:09
  • @c4f4t0r Changes to configmap are applied on the fly, with or without helm. – Joao Morais Oct 02 '19 at 01:09
  • @Joao Morais 7, yes to the configmap but not the pod, unless you restart the pod after the change – c4f4t0r Oct 02 '19 at 08:11
  • I can see that there are two separate HAProxy Ingress controllers in maintenance. One is, I assume, developed by Joao Morais here, and another one by HAProxy Technologies (seems like the official one). They seem to support different config options and the one developed by HAProxy Tech does not support `config-frontend`. Could this have been the issue? – Avius Aug 12 '20 at 10:40

0 Answers0