diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-03-18 09:57:42 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-03-22 11:18:40 +0200 |
commit | 5c248dbd67de167c14bf73fd077f71fb18fcf29b (patch) | |
tree | f17c8c0045f54fd1cbb112d8e10deca14c7a0014 /manifests | |
parent | 4988d0fc359a59af6ce86c0beb8549a950df57cd (diff) |
Make cipher suite and SSL options configurable
This CR enables the ability to set the cipher suite to be used by
HAproxy and the SSL options. So now the user can enable these through
hiera. The cipher suite comes from the Fedora system crypto policy.
Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48
Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/loadbalancer.pp | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 0d70f32..140713b 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -120,6 +120,16 @@ # Any service-specific certificates take precedence over this one. # Defaults to undef # +# [*ssl_cipher_suite*] +# The default string describing the list of cipher algorithms ("cipher suite") +# that are negotiated during the SSL/TLS handshake for all "bind" lines. This +# value comes from the Fedora system crypto policy. +# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*ssl_options*] +# String that sets the default ssl options to force on all "bind" lines. +# Defaults to 'no-sslv3' +# # [*keystone_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the Keystone public API endpoint using the specified file. @@ -366,6 +376,8 @@ class tripleo::loadbalancer ( $controller_hosts = undef, $controller_hosts_names = undef, $service_certificate = undef, + $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $ssl_options = 'no-sslv3', $keystone_certificate = undef, $neutron_certificate = undef, $cinder_certificate = undef, @@ -916,12 +928,14 @@ class tripleo::loadbalancer ( class { '::haproxy': service_manage => $haproxy_service_manage, global_options => { - 'log' => "${haproxy_log_address} local0", - 'pidfile' => '/var/run/haproxy.pid', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'maxconn' => $haproxy_global_maxconn, + 'log' => "${haproxy_log_address} local0", + 'pidfile' => '/var/run/haproxy.pid', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '', + 'maxconn' => $haproxy_global_maxconn, + 'ssl-default-bind-ciphers' => $ssl_cipher_suite, + 'ssl-default-bind-options' => $ssl_options, }, defaults_options => { 'mode' => 'tcp', |