summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/loadbalancer.pp26
1 files changed, 20 insertions, 6 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 0d70f32..140713b 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -120,6 +120,16 @@
# Any service-specific certificates take precedence over this one.
# Defaults to undef
#
+# [*ssl_cipher_suite*]
+# The default string describing the list of cipher algorithms ("cipher suite")
+# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
+# value comes from the Fedora system crypto policy.
+# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#
+# [*ssl_options*]
+# String that sets the default ssl options to force on all "bind" lines.
+# Defaults to 'no-sslv3'
+#
# [*keystone_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the Keystone public API endpoint using the specified file.
@@ -366,6 +376,8 @@ class tripleo::loadbalancer (
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
+ $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+ $ssl_options = 'no-sslv3',
$keystone_certificate = undef,
$neutron_certificate = undef,
$cinder_certificate = undef,
@@ -916,12 +928,14 @@ class tripleo::loadbalancer (
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
- 'log' => "${haproxy_log_address} local0",
- 'pidfile' => '/var/run/haproxy.pid',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'maxconn' => $haproxy_global_maxconn,
+ 'log' => "${haproxy_log_address} local0",
+ 'pidfile' => '/var/run/haproxy.pid',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'daemon' => '',
+ 'maxconn' => $haproxy_global_maxconn,
+ 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+ 'ssl-default-bind-options' => $ssl_options,
},
defaults_options => {
'mode' => 'tcp',