From 5a7bc8fd17cd28e400d2a1ccb876cdcdabc588a0 Mon Sep 17 00:00:00 2001
From: Andre Zoledziowski <az@zok.xyz>
Date: Mon, 21 Jan 2019 14:02:01 +0100
Subject: [PATCH] Added explicit "allow restarts" permission.

---
 Dockerfile  | 3 ++-
 haproxy.cfg | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 0a6d35e..8d7a62b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,8 @@
 FROM haproxy:1.9-alpine
 
 EXPOSE 2375
-ENV AUTH=0 \
+ENV ALLOW_RESTARTS=0 \
+    AUTH=0 \
     BUILD=0 \
     COMMIT=0 \
     CONFIGS=0 \
diff --git a/haproxy.cfg b/haproxy.cfg
index 3a5c677..fa85fb4 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -42,6 +42,7 @@ backend dockerbackend
 frontend dockerfrontend
     bind :2375
     http-request deny unless METH_GET || { env(POST) -m bool }
+    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[^/]+/((stop)|(restart)|(kill)) } ! { env(ALLOW_RESTARTS) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } ! { env(AUTH) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } ! { env(BUILD) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } ! { env(COMMIT) -m bool }
-- 
GitLab