From eddf7b2a42c8b058f2491c0f9bb439afc4f92df3 Mon Sep 17 00:00:00 2001
From: Andre Zoledziowski <az@zok.xyz>
Date: Mon, 21 Jan 2019 14:05:20 +0100
Subject: [PATCH] Inverted HAProxy security policy.

---
 haproxy.cfg | 49 +++++++++++++++++++++++++------------------------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/haproxy.cfg b/haproxy.cfg
index fa85fb4..433d772 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -42,28 +42,29 @@ backend dockerbackend
 frontend dockerfrontend
     bind :2375
     http-request deny unless METH_GET || { env(POST) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[^/]+/((stop)|(restart)|(kill)) } ! { env(ALLOW_RESTARTS) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } ! { env(AUTH) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } ! { env(BUILD) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } ! { env(COMMIT) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } ! { env(CONFIGS) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } ! { env(CONTAINERS) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } ! { env(DISTRIBUTION) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } ! { env(EVENTS) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } ! { env(EXEC) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } ! { env(IMAGES) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } ! { env(INFO) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } ! { env(NETWORKS) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } ! { env(NODES) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } ! { env(PING) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } ! { env(PLUGINS) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/post } ! { env(POST) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } ! { env(SECRETS) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } ! { env(SERVICES) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } ! { env(SESSION) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } ! { env(SWARM) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } ! { env(SYSTEM) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } ! { env(TASKS) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } ! { env(VERSION) -m bool }
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } ! { env(VOLUMES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[^/]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/configs } { env(CONFIGS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers } { env(CONTAINERS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/distribution } { env(DISTRIBUTION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/events } { env(EVENTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec } { env(EXEC) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images } { env(IMAGES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/info } { env(INFO) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/networks } { env(NETWORKS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/nodes } { env(NODES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } { env(PING) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/plugins } { env(PLUGINS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/post } { env(POST) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/secrets } { env(SECRETS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/services } { env(SERVICES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/session } { env(SESSION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/swarm } { env(SWARM) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/system } { env(SYSTEM) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool }
+    http-request deny
     default_backend dockerbackend