summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-03-18 09:57:42 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-03-22 11:18:40 +0200
commit5c248dbd67de167c14bf73fd077f71fb18fcf29b (patch)
treef17c8c0045f54fd1cbb112d8e10deca14c7a0014
parent4988d0fc359a59af6ce86c0beb8549a950df57cd (diff)
Make cipher suite and SSL options configurable
This CR enables the ability to set the cipher suite to be used by HAproxy and the SSL options. So now the user can enable these through hiera. The cipher suite comes from the Fedora system crypto policy. Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
-rw-r--r--manifests/loadbalancer.pp26
1 files changed, 20 insertions, 6 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 0d70f32..140713b 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -120,6 +120,16 @@
# Any service-specific certificates take precedence over this one.
# Defaults to undef
#
+# [*ssl_cipher_suite*]
+# The default string describing the list of cipher algorithms ("cipher suite")
+# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
+# value comes from the Fedora system crypto policy.
+# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#
+# [*ssl_options*]
+# String that sets the default ssl options to force on all "bind" lines.
+# Defaults to 'no-sslv3'
+#
# [*keystone_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the Keystone public API endpoint using the specified file.
@@ -366,6 +376,8 @@ class tripleo::loadbalancer (
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
+ $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+ $ssl_options = 'no-sslv3',
$keystone_certificate = undef,
$neutron_certificate = undef,
$cinder_certificate = undef,
@@ -916,12 +928,14 @@ class tripleo::loadbalancer (
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
- 'log' => "${haproxy_log_address} local0",
- 'pidfile' => '/var/run/haproxy.pid',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'maxconn' => $haproxy_global_maxconn,
+ 'log' => "${haproxy_log_address} local0",
+ 'pidfile' => '/var/run/haproxy.pid',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'daemon' => '',
+ 'maxconn' => $haproxy_global_maxconn,
+ 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+ 'ssl-default-bind-options' => $ssl_options,
},
defaults_options => {
'mode' => 'tcp',