diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-14 11:22:35 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-16 12:53:59 +0300 |
| commit | 192463755bb599b8879c09a97cf731dad0cde6a0 (patch) | |
| tree | 100517adb060e270b2e6611a6588c18a2ee5d117 | |
| parent | 5e91493f7aaecef924a78f0743f812a225080085 (diff) | |
For http service endpoints always redirect to https
If public TLS is enabled, this sets as default that services should
always redirect to https.
Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
| -rw-r--r-- | manifests/haproxy.pp | 15 | ||||
| -rw-r--r-- | manifests/haproxy/endpoint.pp | 13 |
2 files changed, 15 insertions, 13 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 98c9c96..6b305cb 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -902,17 +902,8 @@ class tripleo::haproxy ( } if $keystone_public { - if $service_certificate { - $keystone_public_tls_listen_opts = { - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', - # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', - } - } else { - $keystone_public_tls_listen_opts = { - 'option' => [ 'httpchk GET /v3', ], - } + $keystone_listen_opts = { + 'option' => [ 'httpchk GET /v3', ], } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, @@ -921,7 +912,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts), + listen_options => merge($default_listen_options, $keystone_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 16e0bd1..f1e80e8 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -108,9 +108,20 @@ define tripleo::haproxy::endpoint ( # service exposed to the public network if $public_certificate { + if $mode == 'http' { + $tls_listen_options = { + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'option' => 'forwardfor', + } + $listen_options_real = merge($tls_listen_options, $listen_options) + } else { + $listen_options_real = $listen_options + } $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) } else { + $listen_options_real = $listen_options $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param) } } else { @@ -138,7 +149,7 @@ define tripleo::haproxy::endpoint ( bind => $bind_opts, collect_exported => false, mode => $mode, - options => $listen_options, + options => $listen_options_real, } haproxy::balancermember { "${name}": listening_service => $name, |