summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-06-14 11:22:35 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-06-16 12:53:59 +0300
commit192463755bb599b8879c09a97cf731dad0cde6a0 (patch)
tree100517adb060e270b2e6611a6588c18a2ee5d117
parent5e91493f7aaecef924a78f0743f812a225080085 (diff)
For http service endpoints always redirect to https
If public TLS is enabled, this sets as default that services should always redirect to https. Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
-rw-r--r--manifests/haproxy.pp15
-rw-r--r--manifests/haproxy/endpoint.pp13
2 files changed, 15 insertions, 13 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 98c9c96..6b305cb 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -902,17 +902,8 @@ class tripleo::haproxy (
}
if $keystone_public {
- if $service_certificate {
- $keystone_public_tls_listen_opts = {
- 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
- # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
- 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
- 'option' => 'forwardfor',
- }
- } else {
- $keystone_public_tls_listen_opts = {
- 'option' => [ 'httpchk GET /v3', ],
- }
+ $keystone_listen_opts = {
+ 'option' => [ 'httpchk GET /v3', ],
}
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
@@ -921,7 +912,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts),
+ listen_options => merge($default_listen_options, $keystone_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 16e0bd1..f1e80e8 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -108,9 +108,20 @@ define tripleo::haproxy::endpoint (
# service exposed to the public network
if $public_certificate {
+ if $mode == 'http' {
+ $tls_listen_options = {
+ 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
+ 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+ 'option' => 'forwardfor',
+ }
+ $listen_options_real = merge($tls_listen_options, $listen_options)
+ } else {
+ $listen_options_real = $listen_options
+ }
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"),
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
+ $listen_options_real = $listen_options
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
} else {
@@ -138,7 +149,7 @@ define tripleo::haproxy::endpoint (
bind => $bind_opts,
collect_exported => false,
mode => $mode,
- options => $listen_options,
+ options => $listen_options_real,
}
haproxy::balancermember { "${name}":
listening_service => $name,