From 067f4b8e320280208361c99b890cd7aa3ad8715f Mon Sep 17 00:00:00 2001
From: billisdead <billisdead@tutanota.com>
Date: Sun, 11 Jan 2026 16:04:44 +0100
Subject: [PATCH] config ghost le boudoir

---
 haproxy.cfg | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/haproxy.cfg b/haproxy.cfg
index 8cdf323..ddc5814 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -60,6 +60,9 @@ defaults
 #	errorfile 503 /etc/haproxy/errors/503.http
 #	errorfile 504 /etc/haproxy/errors/504.http
 
+userlist admin-ghost
+  group is-admin
+  user admin password $5$ITvxQNSy4YoUQdNm$p/2D8ey05ZI3KC2gpRun4OKNsomFS8xJnNd0M4P0zeB # $5$... (générez avec: printf "votrepassword" | mkpasswd --method=sha-256 --stdout)
 
 #frontend http_in
 #	bind *:80
@@ -135,10 +138,10 @@ frontend https
 	acl stats-host hdr(host) -i stats.gyozamancave.fr
 	acl n8n-host hdr(host) -i n8n.gyozamancave.fr
 	acl homegit-host hdr(host) -i homegit.gyozamancave.fr
-	acl boudoir-host hdr(host) -i ledigitalboudoir.com
 	#acl boudoir-assets path_beg /assets/
 	#acl path_og path_beg /og/
-	
+    	acl boudoir-host hdr(host) -i ledigitalboudoir.com
+  
 	use_backend cms if cms-host
 	use_backend links-mtb if links-host
 	use_backend cms2 if cms2-host
@@ -154,7 +157,7 @@ frontend https
 	#use_backend boudoir-assets-backend if path_og	
 	#use_backend boudoir-assets-backend if boudoir-assets
 	use_backend boudoir-backend if boudoir-host
-
+	
 #backend boudoir-assets-backend
 #    mode http
 
@@ -181,8 +184,24 @@ frontend https
     # Serveur Directus interne
 #    server directus 192.168.1.107:8055 check
 
+#backend boudoir-backend
+#	server boudoir 192.168.1.57:2368
 backend boudoir-backend
-	server boudoir 192.168.1.57:2368
+  acl ghost_path path_beg /ghost/
+  acl is_whitelisted src 82.67.3.126/32
+  acl is_lan src 192.168.1.0/24  # Plage LAN (adaptez 192.168.1.0/24 si précis)
+  acl is_lan2 src 192.168.2.0/24  # Plage LAN (adaptez 192.168.1.0/24 si précis)
+  acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24  # Combine
+  acl admin_auth http_auth_group(admin-ghost) is-admin
+  
+  # Deny /ghost/ hors IP white
+  http-request deny if ghost_path !is_whitelisted_full
+  
+  # Auth basique pour /ghost/ (toujours demandée si pas IP white, mais safe)
+#  http-request auth realm "Ghost Admin" unless admin_auth if ghost_path
+   # Bloque /ghost/ hors votre IP (sécurisé, simple)
+  server boudoir 192.168.1.57:2368 check
+
 
 #backend boudoir-backend
 #	server boudoir 192.168.1.107:31723 check