summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2016-04-01 08:36:19 +0000
committerGerrit Code Review <review@openstack.org>2016-04-01 08:36:19 +0000
commit6c25f57d78d47419365e2238647228a186a0137f (patch)
tree7867bb158a75e29d268c29904974a1823929f6af
parentd876a555e25bb3f33a1b4121ba23d0ee400dabea (diff)
parent5c248dbd67de167c14bf73fd077f71fb18fcf29b (diff)
Merge "Make cipher suite and SSL options configurable"
-rw-r--r--manifests/loadbalancer.pp26
1 files changed, 20 insertions, 6 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 4264c22..8ee4445 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -120,6 +120,16 @@
# Any service-specific certificates take precedence over this one.
# Defaults to undef
#
+# [*ssl_cipher_suite*]
+# The default string describing the list of cipher algorithms ("cipher suite")
+# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
+# value comes from the Fedora system crypto policy.
+# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#
+# [*ssl_options*]
+# String that sets the default ssl options to force on all "bind" lines.
+# Defaults to 'no-sslv3'
+#
# [*keystone_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the Keystone public API endpoint using the specified file.
@@ -371,6 +381,8 @@ class tripleo::loadbalancer (
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
+ $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+ $ssl_options = 'no-sslv3',
$keystone_certificate = undef,
$neutron_certificate = undef,
$cinder_certificate = undef,
@@ -934,12 +946,14 @@ class tripleo::loadbalancer (
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
- 'log' => "${haproxy_log_address} local0",
- 'pidfile' => '/var/run/haproxy.pid',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'maxconn' => $haproxy_global_maxconn,
+ 'log' => "${haproxy_log_address} local0",
+ 'pidfile' => '/var/run/haproxy.pid',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'daemon' => '',
+ 'maxconn' => $haproxy_global_maxconn,
+ 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+ 'ssl-default-bind-options' => $ssl_options,
},
defaults_options => {
'mode' => 'tcp',