fix(template): strip Jinja2 whitespace so no-env-var listener is byte-identical
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m23s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m23s
Default Jinja2 {% if %}{% endif %} block syntax leaves a trailing newline
even when the conditional doesn't render. Staging verification of PR 2
showed the resulting haproxy.cfg differed from the pre-PR2 version by
exactly 1 blank line — semantically identical but not byte-identical,
which violates the design promise that haproxy-manager-base's default
output stays unchanged for home/standalone deployments.
Use {%- if -%}/{%- endif %} (the whitespace-stripping variants) so the
block contributes zero bytes when coraza_spoe_backend is unset.
Verified locally: without env var = 55 lines, ends cleanly on the
is_blocked_ip rule. With env var = 62 lines, +7 for the SPOE block.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -53,11 +53,12 @@ frontend web
|
||||
acl is_blocked_ip var(txn.real_ip),map_ip(/etc/haproxy/blocked_ips.map,0) -m int gt 0
|
||||
http-request set-path /blocked-ip if is_blocked_ip
|
||||
use_backend default-backend if is_blocked_ip
|
||||
{% if coraza_spoe_backend %}
|
||||
{%- if coraza_spoe_backend %}
|
||||
|
||||
# Coraza WAF inspection via SPOE. Runs AFTER rate-limit and IP-block
|
||||
# guards (no point asking the WAF about requests we're already dropping)
|
||||
# and AFTER the real-client-IP resolution (so Coraza sees the right src).
|
||||
# Fail-open: see `option set-on-error continue` in /etc/haproxy/coraza-spoe.cfg.
|
||||
filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg
|
||||
http-request send-spoe-group coraza coraza-check
|
||||
{% endif %}
|
||||
{%- endif %}
|
||||
|
||||
Reference in New Issue
Block a user