diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-11-18 15:39:07 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-11-30 14:34:41 +0200 |
commit | 5b0bd1c00aef1b03bf697d0f05046c4ad8b641e5 (patch) | |
tree | e055ec6ef38d7048682aba685d83a94dc6f5ec34 | |
parent | f101ee540a450d3509e1c97aab00a97a2ecf8164 (diff) |
Add verify required and CA bundle to haproxy
This only takes effect is internal-tls is used, and forces haproxy to
do proper verifications of the SSL certificates provided by the
servers.
bp tls-via-certmonger
Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642
-rw-r--r-- | manifests/haproxy.pp | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 2f3f062..a4ab0cc 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -117,6 +117,11 @@ # String that sets the default ssl options to force on all "bind" lines. # Defaults to 'no-sslv3' # +# [*ca_bundle*] +# Path to the CA bundle to be used for HAProxy to validate the certificates of +# the servers it balances +# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' +# # [*haproxy_stats_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the haproxy stats endpoint using the specified file. @@ -472,6 +477,7 @@ class tripleo::haproxy ( $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', + $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $haproxy_stats_certificate = undef, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), @@ -601,8 +607,7 @@ class tripleo::haproxy ( $ports = merge($default_service_ports, $service_ports) if $enable_internal_tls { - # TODO(jaosorior): change verify none to verify required. - $internal_tls_member_options = ['ssl', 'verify none'] + $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] } else { $internal_tls_member_options = [] } |