diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-18 14:49:09 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-18 14:51:03 +0300 |
| commit | c372d01a9427d65ae44063adf68c78748770eac4 (patch) | |
| tree | 320d8d0e17654b4e73d8c68ffc083afba765146a /manifests | |
| parent | 7567c71e4780b3508b752efe99f5215094f2c141 (diff) | |
Haproxy: When using TLS everywhere, use verifyhost for the balancermembers
This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.
Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/haproxy.pp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index a6bd1eb..d497056 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -718,6 +718,9 @@ class tripleo::haproxy ( if $enable_internal_tls { $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] + Haproxy::Balancermember { + verifyhost => true + } } else { $internal_tls_member_options = [] } |