1 files changed, 9 insertions, 2 deletions

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 92edd71..0b69245 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -1236,6 +1236,7 @@ class tripleo::haproxy (
       listen_options    => $swift_proxy_server_listen_options,
       public_ssl_port   => $ports[swift_proxy_ssl_port],
       service_network   => $swift_proxy_server_network,
+      member_options    => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
@@ -1377,7 +1378,7 @@ class tripleo::haproxy (
       server_names      => hiera('mysql_node_names', $controller_hosts_names_real),
       options           => $mysql_member_options_real,
     }
-    if hiera('manage_firewall', true) {
+    if hiera('tripleo::firewall::manage_firewall', true) {
       include ::tripleo::firewall
       $mysql_firewall_rules = {
         '100 mysql_haproxy' => {
@@ -1462,7 +1463,7 @@ class tripleo::haproxy (
       server_names      => hiera('redis_node_names', $controller_hosts_names_real),
       options           => $haproxy_member_options,
     }
-    if hiera('manage_firewall', true) {
+    if hiera('tripleo::firewall::manage_firewall', true) {
       include ::tripleo::firewall
       $redis_firewall_rules = {
         '100 redis_haproxy' => {
@@ -1595,6 +1596,12 @@ class tripleo::haproxy (
       server_names      => $controller_hosts_names_real,
       mode              => 'http',
       public_ssl_port   => $ports[ui_ssl_port],
+      listen_options    => {
+        # NOTE(dtrainor): in addition to the zaqar_ws endpoint, the HTTPS
+        # (443/tcp) endpoint that answers for the UI must also use a long-lived
+        # tunnel timeout for the same reasons mentioned above.
+        'timeout' => ['tunnel 3600s'],
+      },
     }
   }
   if $contrail_config {