Haproxy: fix duplicate ssl cert config

Author: baszoetekouw

roles/haproxy/templates/haproxy_frontend.cfg.j2

@@ -12,8 +12,8 @@ frontend stats
 # -------------------------------------------------------------------
 frontend internet_ip
 
-    bind {{ haproxy_sni_ip.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
-    bind {{ haproxy_sni_ip.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/  no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind {{ haproxy_sni_ip.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
+    bind {{ haproxy_sni_ip.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
     bind {{ haproxy_sni_ip.ipv4 }}:80 transparent
     bind {{ haproxy_sni_ip.ipv6 }}:80 transparent
     # Logging is done in the local_ip backend, otherwise all requests are logged twice
@@ -30,7 +30,7 @@ frontend internet_ip
     http-request redirect scheme https code 301 if !{ ssl_fc }
     # Log the user agent in the httplogs
     capture request header User-agent len 256
-    # Put the useragent header in a variable, shared between request and response. 
+    # Put the useragent header in a variable, shared between request and response.
     http-request set-var(txn.useragent) req.fhdr(User-Agent)
     # The ACL below makes sure only supported http methods are allowed
     acl valid_method method {{ haproxy_supported_http_methods }}
@@ -51,7 +51,7 @@ frontend internet_ip
     http-response replace-header Set-Cookie (?i)(^(?!.*samesite).*$) \1;\ SameSite=None if !no_same_site_uas
     # Remove an already present SameSite cookie attribute for unsupported browsers
     http-response replace-value Set-Cookie (^.*)(?i);\ *SameSite=(Lax|Strict|None)(.*$) \1\3 if no_same_site_uas
-    # Log whether the no_same_site_uas ACL has been hit 
+    # Log whether the no_same_site_uas ACL has been hit
     http-request set-header samesitesupport samesite_notsupported if no_same_site_uas
     http-request set-header samesitesupport samesite_supported if !no_same_site_uas
     # We need a dummy backend in order to be able to rewrite the loadbalancer cookies
@@ -66,7 +66,7 @@ frontend local_ip
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsunrestricted.acl
     acl staging req.cook(staging) -m str true
     acl staging src -f /etc/haproxy/acls/stagingips.acl
-    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
+    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
@@ -82,7 +82,7 @@ frontend local_ip
     http-request capture sc_http_req_rate(0) len 4
     # Create an ACL when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     acl exceeds_max_request_rate_per_ip sc_http_req_rate(0) gt {{ haproxy_max_request_rate }}
-    # Measure and log the request rate per path and ip 
+    # Measure and log the request rate per path and ip
     http-request track-sc1 base32+src table st_httpreqs_per_ip_and_path
     http-request capture sc_http_req_rate(1) len 4
     # Some paths allow for a higher ratelimit. These are in a seperate mapfile
@@ -96,7 +96,7 @@ frontend local_ip
     http-request deny if ! valid_vhost
     # Deny the request when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m 
+    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip_and_path !allowlist
     # Create some http redirects
     {% if haproxy_securitytxt_target_url is defined %}
@@ -111,8 +111,8 @@ frontend local_ip
 ## -------------------------------------------------------------------
 frontend internet_restricted_ip
 
-    bind {{ haproxy_sni_ip_restricted.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
-    bind {{ haproxy_sni_ip_restricted.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind {{ haproxy_sni_ip_restricted.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
+    bind {{ haproxy_sni_ip_restricted.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
     bind {{ haproxy_sni_ip_restricted.ipv4 }}:80 transparent
     bind {{ haproxy_sni_ip_restricted.ipv6 }}:80 transparent
     # Logging is done in the local_ip_restriced backend, otherwise all requests are logged twice
@@ -128,8 +128,8 @@ frontend internet_restricted_ip
     # We redirect all port 80 to port 443
     http-request redirect scheme https code 301 if !{ ssl_fc }
     # Log the user agent in the httplogs
-    capture request header User-agent len 256 
-    # Put the useragent header in a variable, shared between request and response. 
+    capture request header User-agent len 256
+    # Put the useragent header in a variable, shared between request and response.
     http-request set-var(txn.useragent) req.fhdr(User-Agent)
     # The ACL below makes sure only supported http methods are allowed
     acl valid_method method {{ haproxy_supported_http_methods }}
@@ -155,12 +155,12 @@ frontend internet_restricted_ip
 #  frontend restricted ip addresses localhost
 #  traffic coming back from the dummy backend ends up here
 # -------------------------------------------------------------------
-frontend localhost_restricted    
+frontend localhost_restricted
     bind 127.0.0.1:82 accept-proxy
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsrestricted.acl
     acl staging req.cook(staging) -m str true
     acl staging src -f /etc/haproxy/acls/stagingips.acl
-    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
+    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
@@ -177,7 +177,7 @@ frontend localhost_restricted
     # Create an ACL when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     acl exceeds_max_request_rate_per_ip sc_http_req_rate(0) gt {{ haproxy_max_request_rate }}
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Measure and log the request rate per path and ip 
+    # Measure and log the request rate per path and ip
     http-request track-sc1 base32+src table st_httpreqs_per_ip_and_path
     http-request capture sc_http_req_rate(1) len 4
     # Some paths allow for a higher ratelimit. These are in a seperate mapfile
@@ -191,7 +191,7 @@ frontend localhost_restricted
     http-request deny if ! valid_vhost
     # Deny the request when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m 
+    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip_and_path !allowlist
     # Create some http redirects
     {% if haproxy_securitytxt_target_url is defined %}