diff --git a/utils/haproxy_config.py b/utils/haproxy_config.py index cd1c276..3691ae7 100644 --- a/utils/haproxy_config.py +++ b/utils/haproxy_config.py @@ -93,8 +93,11 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method, os.makedirs(os.path.dirname(HAPROXY_CFG), exist_ok=True) - if is_backend_exist(backend_name): - return f"Backend {backend_name} already exists. Cannot add duplicate." + # Generate unique backend name with hostname suffix + unique_backend_name = f"{backend_name}_{sanitize_name(frontend_hostname)}" if frontend_hostname else backend_name + + if is_backend_exist(unique_backend_name): + return f"Backend {unique_backend_name} already exists. Cannot add duplicate." is_no_lb = lb_method == 'no-lb' if is_no_lb and len(backend_servers) > 1: @@ -115,21 +118,14 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method, haproxy_cfg.write(f" ssl crt {ssl_cert_path}") haproxy_cfg.write("\n") - - # ===== HTTP-REQUEST RULES (BEFORE REDIRECT) ===== - if is_no_lb: - haproxy_cfg.write(f" http-request set-header X-Forwarded-For %[src]\n") - if use_ssl: - haproxy_cfg.write(f" http-request set-header X-Forwarded-Proto https\n") - else: - haproxy_cfg.write(f" http-request set-header X-Forwarded-Proto http\n") + # ===== SET HEADERS (RIGHT AFTER BIND/CERT) ===== + haproxy_cfg.write(f" http-request set-header X-Forwarded-For %[src]\n") + if use_ssl: + haproxy_cfg.write(f" http-request set-header X-Forwarded-Proto https\n") else: - haproxy_cfg.write(f" balance {lb_method}\n") - - if forward_for: - haproxy_cfg.write(f" option forwardfor\n") - + haproxy_cfg.write(f" http-request set-header X-Forwarded-Proto http\n") + # Mode haproxy_cfg.write(f" mode {protocol}\n") @@ -138,7 +134,13 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method, if frontend_hostname: acl_name_sanitized = f"is_{sanitize_name(frontend_hostname)}" haproxy_cfg.write(f" acl {acl_name_sanitized} hdr(host) -i {frontend_hostname}\n") - + + # Balance settings for non-no-lb mode + if not is_no_lb: + haproxy_cfg.write(f" balance {lb_method}\n") + if forward_for: + haproxy_cfg.write(f" option forwardfor\n") + # DOS protection (BEFORE REDIRECT!) if is_dos: haproxy_cfg.write(f" stick-table type ip size 1m expire {ban_duration} store http_req_rate(1m)\n") @@ -200,14 +202,12 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method, # ===== BACKEND ROUTING ===== if acl_name_sanitized: - # Jeśli jest hostname, routuj z ACL - haproxy_cfg.write(f" use_backend {backend_name} if {acl_name_sanitized}\n") + haproxy_cfg.write(f" use_backend {unique_backend_name} if {acl_name_sanitized}\n") else: - # Default backend - haproxy_cfg.write(f" default_backend {backend_name}\n") + haproxy_cfg.write(f" default_backend {unique_backend_name}\n") - # ===== PRIMARY BACKEND ===== - haproxy_cfg.write(f"\nbackend {backend_name}\n") + # ===== PRIMARY BACKEND (WITH UNIQUE NAME) ===== + haproxy_cfg.write(f"\nbackend {unique_backend_name}\n") if not is_no_lb: haproxy_cfg.write(f" balance {lb_method}\n") @@ -241,8 +241,10 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method, # ===== REDIRECT FRONTEND (HTTP -> HTTPS) ===== if backend_ssl_redirect and ssl_redirect_backend_name: - if is_backend_exist(ssl_redirect_backend_name): - return f"Redirect backend {ssl_redirect_backend_name} already exists. Cannot add duplicate." + unique_redirect_backend_name = f"{ssl_redirect_backend_name}_{sanitize_name(frontend_hostname)}" if frontend_hostname else ssl_redirect_backend_name + + if is_backend_exist(unique_redirect_backend_name): + return f"Redirect backend {unique_redirect_backend_name} already exists. Cannot add duplicate." # Generate unique name for redirect frontend redirect_frontend_name = f"redirect_https_{sanitize_name(frontend_hostname)}" if frontend_hostname else f"redirect_https_{frontend_name}" @@ -255,12 +257,12 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method, if frontend_hostname: acl_name_redirect = f"is_{sanitize_name(frontend_hostname)}_redirect" haproxy_cfg.write(f" acl {acl_name_redirect} hdr(host) -i {frontend_hostname}\n") - haproxy_cfg.write(f" use_backend {ssl_redirect_backend_name} if {acl_name_redirect}\n") + haproxy_cfg.write(f" use_backend {unique_redirect_backend_name} if {acl_name_redirect}\n") else: - haproxy_cfg.write(f" default_backend {ssl_redirect_backend_name}\n") + haproxy_cfg.write(f" default_backend {unique_redirect_backend_name}\n") # Redirect backend - haproxy_cfg.write(f"\nbackend {ssl_redirect_backend_name}\n") + haproxy_cfg.write(f"\nbackend {unique_redirect_backend_name}\n") haproxy_cfg.write(f" mode http\n") haproxy_cfg.write(f" redirect scheme https code 301 if !{{ ssl_fc }}\n")