diff options
| author |   Jenkins <jenkins@review.openstack.org> | 2016-04-01 08:36:19 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <review@openstack.org> | 2016-04-01 08:36:19 +0000 |
| commit | 6c25f57d78d47419365e2238647228a186a0137f (patch) | |
| tree | 7867bb158a75e29d268c29904974a1823929f6af | |
| parent | d876a555e25bb3f33a1b4121ba23d0ee400dabea (diff) | |
| parent | 5c248dbd67de167c14bf73fd077f71fb18fcf29b (diff) | |
Merge "Make cipher suite and SSL options configurable"
| -rw-r--r-- | manifests/loadbalancer.pp | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 4264c22..8ee4445 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -120,6 +120,16 @@ # Any service-specific certificates take precedence over this one. # Defaults to undef # +# [*ssl_cipher_suite*] +# The default string describing the list of cipher algorithms ("cipher suite") +# that are negotiated during the SSL/TLS handshake for all "bind" lines. This +# value comes from the Fedora system crypto policy. +# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*ssl_options*] +# String that sets the default ssl options to force on all "bind" lines. +# Defaults to 'no-sslv3' +# # [*keystone_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the Keystone public API endpoint using the specified file. @@ -371,6 +381,8 @@ class tripleo::loadbalancer ( $controller_hosts = undef, $controller_hosts_names = undef, $service_certificate = undef, + $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $ssl_options = 'no-sslv3', $keystone_certificate = undef, $neutron_certificate = undef, $cinder_certificate = undef, @@ -934,12 +946,14 @@ class tripleo::loadbalancer ( class { '::haproxy': service_manage => $haproxy_service_manage, global_options => { - 'log' => "${haproxy_log_address} local0", - 'pidfile' => '/var/run/haproxy.pid', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'maxconn' => $haproxy_global_maxconn, + 'log' => "${haproxy_log_address} local0", + 'pidfile' => '/var/run/haproxy.pid', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '', + 'maxconn' => $haproxy_global_maxconn, + 'ssl-default-bind-ciphers' => $ssl_cipher_suite, + 'ssl-default-bind-options' => $ssl_options, }, defaults_options => { 'mode' => 'tcp', |