diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-14 11:22:35 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-16 12:53:59 +0300 |
| commit | 192463755bb599b8879c09a97cf731dad0cde6a0 (patch) | |
| tree | 100517adb060e270b2e6611a6588c18a2ee5d117 /manifests/haproxy | |
| parent | 5e91493f7aaecef924a78f0743f812a225080085 (diff) | |
For http service endpoints always redirect to https
If public TLS is enabled, this sets as default that services should
always redirect to https.
Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
Diffstat (limited to 'manifests/haproxy')
| -rw-r--r-- | manifests/haproxy/endpoint.pp | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 16e0bd1..f1e80e8 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -108,9 +108,20 @@ define tripleo::haproxy::endpoint ( # service exposed to the public network if $public_certificate { + if $mode == 'http' { + $tls_listen_options = { + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'option' => 'forwardfor', + } + $listen_options_real = merge($tls_listen_options, $listen_options) + } else { + $listen_options_real = $listen_options + } $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) } else { + $listen_options_real = $listen_options $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param) } } else { @@ -138,7 +149,7 @@ define tripleo::haproxy::endpoint ( bind => $bind_opts, collect_exported => false, mode => $mode, - options => $listen_options, + options => $listen_options_real, } haproxy::balancermember { "${name}": listening_service => $name, |