diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-12-12 15:00:58 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-12-20 08:50:08 +0000 |
commit | d4453c95d97eec0f45aa0db1d685935d63037fac (patch) | |
tree | df16df2515cd5d07e20adcaeb4d539883bb87186 /manifests | |
parent | 48eef39ca35fda6e544cb43f0ee974f600608fd2 (diff) |
Add TLS proxy resource
some services need a terminating proxy to do TLS on their main
interfaces, to address this, we use httpd's mod_proxy and make it listen
in front of these services with an appropriate certificate.
bp tls-via-certmonger
Change-Id: I82243fd3acfe4f23aab373116b78e1daf9d08467
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/tls_proxy.pp | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/manifests/tls_proxy.pp b/manifests/tls_proxy.pp new file mode 100644 index 0000000..36d6b6d --- /dev/null +++ b/manifests/tls_proxy.pp @@ -0,0 +1,60 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::tls_proxy +# +# Sets up a TLS proxy using mod_proxy that redirects towards localhost. +# +# === Parameters +# +# [*ip*] +# The IP address that the proxy will be listening on. +# +# [*port*] +# The port that the proxy will be listening on. +# +# [*servername*] +# The vhost servername that contains the FQDN to identify the virtual host. +# +# [*tls_cert*] +# The path to the TLS certificate that the proxy will be serving. +# +# [*tls_key*] +# The path to the key used for the specified certificate. +# +define tripleo::tls_proxy( + $ip, + $port, + $servername, + $tls_cert, + $tls_key, +) { + ::apache::vhost { "${title}-proxy": + ensure => 'present', + docroot => undef, # This is required by the manifest + manage_docroot => false, + servername => $servername, + ip => $ip, + port => $port, + ssl => true, + ssl_cert => $tls_cert, + ssl_key => $tls_key, + request_headers => ['set X-Forwarded-Proto "https"'], + proxy_pass => { + path => '/', + url => "http://localhost:${port}/", + params => {retry => '10'}, + } + } +} |