aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy
AgeCommit message (Collapse)AuthorFilesLines
2017-01-06Fix puppet warning for empty valueEmilien Macchi1-0/+2
Unknown variable: 'haproxy_ssl_firewall_rules' when public_ssl_port is empty. Fixing it by setting an empty hash in this case. Change-Id: If864732262852ef79ebb91ee77902c86b847072a
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi1-8/+21
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-10-05Fetch internal certificates for HAProxy based on networkJuan Antonio Osorio Robles1-12/+40
The service profile in HAProxy has the capability of creating certificates based on a map. The idea is to standardize this, as some of those certificates should match certain networks the services are listening on (with the exception of the external network which is handled differently and the tenant network which doesn't need a certificate). So, based on which network a certain service is listening on, we fetch the appropriate certificate. bp tls-via-certmonger Change-Id: I89001ae32f46c9682aecc118753ef6cd647baa62
2016-08-11Removing WARNING: line has more than 140 characters in puppet-tripleo profilesCarlos Camacho1-2/+4
Some lint checks are returning: WARNING: line has more than 140 characters in puppet-tripleo profiles This patch will remove those warnings by adding \'s Change-Id: I19b56c93db82948fb0498a4c9851b522c81946f8
2016-07-06deploy composable firewall rules for HAproxyEmilien Macchi1-0/+12
Deploy composable iptables rules for HAproxy. Note: we can't use Hiera here because we have some logic in puppet-tripelo that select the services that we actually deploy. Using this code in the Define will easily create IPtables rules that we actually need. Some other services will be able to create IPtables rules in Hiera (in THT), but not HAproxy now. Change-Id: If03b18992c68461e97789c0318078a0b243c84fe
2016-05-26Explode loadbalancer role in 2 sub-rolesEmilien Macchi1-0/+120
Split loadbalancer role into 2 sub-roles: - HAproxy - Keepalived Change-Id: I84dfa9d409d390c6f549d62cb3634931e4cb432c