From 3e1f9dda2bd59d113858e8fc758f400bdc7612c9 Mon Sep 17 00:00:00 2001 From: Josh Knapp Date: Tue, 12 May 2026 16:59:40 -0700 Subject: [PATCH] fix(template): strip Jinja2 whitespace so no-env-var listener is byte-identical MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Default Jinja2 {% if %}{% endif %} block syntax leaves a trailing newline even when the conditional doesn't render. Staging verification of PR 2 showed the resulting haproxy.cfg differed from the pre-PR2 version by exactly 1 blank line — semantically identical but not byte-identical, which violates the design promise that haproxy-manager-base's default output stays unchanged for home/standalone deployments. Use {%- if -%}/{%- endif %} (the whitespace-stripping variants) so the block contributes zero bytes when coraza_spoe_backend is unset. Verified locally: without env var = 55 lines, ends cleanly on the is_blocked_ip rule. With env var = 62 lines, +7 for the SPOE block. Co-Authored-By: Claude Opus 4.7 (1M context) --- templates/hap_listener.tpl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/hap_listener.tpl b/templates/hap_listener.tpl index e0d6852..a5d924f 100644 --- a/templates/hap_listener.tpl +++ b/templates/hap_listener.tpl @@ -53,11 +53,12 @@ frontend web acl is_blocked_ip var(txn.real_ip),map_ip(/etc/haproxy/blocked_ips.map,0) -m int gt 0 http-request set-path /blocked-ip if is_blocked_ip use_backend default-backend if is_blocked_ip -{% if coraza_spoe_backend %} +{%- if coraza_spoe_backend %} + # Coraza WAF inspection via SPOE. Runs AFTER rate-limit and IP-block # guards (no point asking the WAF about requests we're already dropping) # and AFTER the real-client-IP resolution (so Coraza sees the right src). # Fail-open: see `option set-on-error continue` in /etc/haproxy/coraza-spoe.cfg. filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg http-request send-spoe-group coraza coraza-check -{% endif %} +{%- endif %}