diff --git a/CHANGELOG.md b/CHANGELOG.md index 63bcbd4c..2e361641 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,6 @@ This file is used to list changes made in each version of the haproxy cookbook. ## [12.4.11](https://github.com/sous-chefs/haproxy/compare/v12.4.10...v12.4.11) (2025-09-15) - ### Bug Fixes * **ci:** Fix share command ([#556](https://github.com/sous-chefs/haproxy/issues/556)) ([f63a220](https://github.com/sous-chefs/haproxy/commit/f63a220b586cd8d6c54f9401f4b42769d2a0239c)) @@ -85,6 +84,7 @@ This file is used to list changes made in each version of the haproxy cookbook. ## 12.4.1 - *2025-09-04* + ## 12.4.0 - *2024-12-09* * Add `option` property to `haproxy_listen` @@ -169,8 +169,6 @@ Standardise files with files in sous-chefs/repo-management Standardise files with files in sous-chefs/repo-management -Standardise files with files in sous-chefs/repo-management - ## 12.2.8 - *2023-02-14* Standardise files with files in sous-chefs/repo-management @@ -392,6 +390,14 @@ Standardise files with files in sous-chefs/repo-management * Documentation - clarify extra_options hash string => array option. * Clarify the supported platforms - add AmazonLinux 2, remove fedora & freebsd. +### Fixed + +* Init script for Amazon Linux. + +### BREAKING CHANGES + +* This version removes `stats_socket`, `stats_uri` and `stats_timeout` properties from the `haproxy_global` and `haproxy_listen` resources in favour of using a hash to pass configuration options. + ## [v6.2.7] (2019-01-10) ### Added @@ -578,8 +584,16 @@ Standardise files with files in sous-chefs/repo-management ### Removed +* Attributes from the metadata file as these are redundant +* Broken tarball validation in the source recipe to prevented installs from completing + +### Fixed + +* Source installs not running if an older version was present on the node +* Resolved all cookstyle and foodcritic warnings * `default_backend` as a required property on the `frontend` resource. + ## [v4.2.0] (2017-05-04) ### Added @@ -783,6 +797,7 @@ Standardise files with files in sous-chefs/repo-management ### Fixed +* Init script for Amazon Linux. * CPU Tuning, corrects cpu_affinity resource triggers ## v1.6.4 diff --git a/README.md b/README.md index c90b37b5..bf8d89db 100644 --- a/README.md +++ b/README.md @@ -15,18 +15,18 @@ This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of ## Requirements * HAProxy `stable` or `LTS` -* Chef 13.9+ +* Chef 16+ ### Platforms This cookbook officially supports and is tested against the following platforms: -* debian: 9 & 10 -* ubuntu: 20.04 & 21.04 -* centos: 7 & 8 -* centos-stream: 8 +* debian: 11 & 12 +* ubuntu: 20.04 & 22.04 +* centos-stream: 8 & 9 +* amazonlinux: 2023 * fedora: latest -* amazonlinux: 2 +* opensuseleap PRs are welcome to add support for additional platforms. diff --git a/kitchen.yml b/kitchen.yml index b70cf4d7..a42242e6 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -46,6 +46,12 @@ suites: - name: source_openssl run_list: - recipe[test::source_openssl] + - name: security + run_list: + - recipe[test::package] + verifier: + inspec_tests: + - test/integration/security - name: config_2 run_list: - recipe[test::config_2] diff --git a/test/cookbooks/test/recipes/security.rb b/test/cookbooks/test/recipes/security.rb new file mode 100644 index 00000000..3009092c --- /dev/null +++ b/test/cookbooks/test/recipes/security.rb @@ -0,0 +1,45 @@ +# Test recipe for security configuration +haproxy_install 'package' + +# Configure global settings +haproxy_config_global 'global' do + user 'haproxy' + group 'haproxy' + log '/dev/log syslog info' + log_tag 'haproxy' + daemon true + quiet true + stats_socket '/var/run/haproxy.sock user haproxy group haproxy' + stats_timeout '2m' + maxconn 1000 + pidfile '/var/run/haproxy.pid' +end + +# Configure defaults +haproxy_config_defaults 'defaults' do + timeout_client '10s' + timeout_server '10s' + timeout_connect '10s' + log 'global' + mode 'http' + balance 'roundrobin' + option %w(httplog dontlognull redispatch tcplog) +end + +# Configure frontend +haproxy_frontend 'http-in' do + bind '0.0.0.0:80' + default_backend 'servers' +end + +# Configure backend +haproxy_backend 'servers' do + server ['server1 127.0.0.1:8000 maxconn 32'] +end + +# Ensure config file permissions +file '/etc/haproxy/haproxy.cfg' do + owner 'haproxy' + group 'haproxy' + mode '0640' +end diff --git a/test/integration/security/controls/secure_defaults_spec.rb b/test/integration/security/controls/secure_defaults_spec.rb new file mode 100644 index 00000000..fa825502 --- /dev/null +++ b/test/integration/security/controls/secure_defaults_spec.rb @@ -0,0 +1,62 @@ +title 'HAProxy Secure Configuration Checks' + +# Include common HAProxy tests +include_controls 'common' + +# Security Baseline for HAProxy Configuration +describe 'HAProxy Security Defaults' do + # Global Security Checks + describe file('/etc/haproxy/haproxy.cfg') do + # Basic configuration + its('content') { should match(/^\s*user\s+haproxy/) } + its('content') { should match(/^\s*group\s+haproxy/) } + its('content') { should match(/^\s*daemon/) } + + # Logging configuration + its('content') { should match(%r{^\s*log\s+/dev/log\s+syslog\s+info}) } + its('content') { should match(/^\s*log-tag\s+haproxy/) } + its('content') { should_not match(/^\s*log-send-hostname/) } + + # Stats socket configuration + its('content') { should match(%r{^\s*stats\s+socket\s+/var/run/haproxy\.sock\s+user\s+haproxy\s+group\s+haproxy}) } + its('content') { should match(/^\s*stats\s+timeout\s+2m/) } + + # Connection settings + its('content') { should match(/^\s*maxconn\s+1000/) } + + # Default timeouts + its('content') { should match(/^\s*timeout\s+client\s+10s/) } + its('content') { should match(/^\s*timeout\s+server\s+10s/) } + its('content') { should match(/^\s*timeout\s+connect\s+10s/) } + + # Default options + its('content') { should match(/^\s*option\s+httplog/) } + its('content') { should match(/^\s*option\s+dontlognull/) } + its('content') { should match(/^\s*option\s+redispatch/) } + its('content') { should match(/^\s*option\s+tcplog/) } + + # Mode and balance + its('content') { should match(/^\s*mode\s+http/) } + its('content') { should match(/^\s*balance\s+roundrobin/) } + + # File permissions + it { should be_owned_by 'haproxy' } + it { should be_grouped_into 'haproxy' } + its('mode') { should cmp '0640' } + end + + # Service Configuration + describe service('haproxy') do + it { should be_enabled } + it { should be_running } + end +end + +# Additional Security Recommendations +describe 'Security Recommendations' do + # Validate service configuration + describe service('haproxy') do + it { should be_enabled } + it { should be_running } + end +end diff --git a/test/integration/security/inspec.yml b/test/integration/security/inspec.yml new file mode 100644 index 00000000..f4443b29 --- /dev/null +++ b/test/integration/security/inspec.yml @@ -0,0 +1,9 @@ +--- +name: security +title: HAProxy Security Profile +version: 0.1.0 +supports: + - os-family: linux +depends: + - name: common + path: test/integration/common