1 files changed, 16 insertions, 14 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 99569c8..6da6dcf 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -146,6 +146,10 @@
 #  the servers it balances
 #  Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
 #
+# [*crl_file*]
+#  Path to the CRL file to be used for checking revoked certificates.
+#  Defaults to undef
+#
 # [*haproxy_stats_certificate*]
 #  Filename of an HAProxy-compatible certificate and key file
 #  When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -565,6 +569,7 @@ class tripleo::haproxy (
   $ssl_cipher_suite            = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
   $ssl_options                 = 'no-sslv3',
   $ca_bundle                   = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
+  $crl_file                    = undef,
   $haproxy_stats_certificate   = undef,
   $keystone_admin              = hiera('keystone_enabled', false),
   $keystone_public             = hiera('keystone_enabled', false),
@@ -728,7 +733,13 @@ class tripleo::haproxy (
   $ports = merge($default_service_ports, $service_ports)
 
   if $enable_internal_tls {
-    $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+
+    if $crl_file {
+      $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}")
+    } else {
+      $internal_tls_member_options = $base_internal_tls_member_options
+    }
     Haproxy::Balancermember {
       verifyhost => true
     }
@@ -769,7 +780,7 @@ class tripleo::haproxy (
       'cookie'       => 'SERVERID insert indirect nocache',
       'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
       # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
-      'redirect'     => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+      'redirect'     => 'scheme https code 301 if !{ ssl_fc }',
       'option'       => [ 'forwardfor', 'httpchk' ],
       'http-request' => [
           'set-header X-Forwarded-Proto https if { ssl_fc }',
@@ -891,17 +902,8 @@ class tripleo::haproxy (
   }
 
   if $keystone_public {
-    if $service_certificate {
-      $keystone_public_tls_listen_opts = {
-        'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
-        # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
-        'redirect'     => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
-        'option'       => 'forwardfor',
-      }
-    } else {
-      $keystone_public_tls_listen_opts = {
-        'option' => [ 'httpchk GET /v3', ],
-      }
+    $keystone_listen_opts = {
+      'option' => [ 'httpchk GET /v3', ],
     }
     ::tripleo::haproxy::endpoint { 'keystone_public':
       public_virtual_ip => $public_virtual_ip,
@@ -910,7 +912,7 @@ class tripleo::haproxy (
       ip_addresses      => hiera('keystone_public_api_node_ips', $controller_hosts_real),
       server_names      => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
       mode              => 'http',
-      listen_options    => merge($default_listen_options, $keystone_public_tls_listen_opts),
+      listen_options    => merge($default_listen_options, $keystone_listen_opts),
       public_ssl_port   => $ports[keystone_public_api_ssl_port],
       service_network   => $keystone_public_network,
       member_options    => union($haproxy_member_options, $internal_tls_member_options),