| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Right now we always deploy the haproxy.stats endpoint with no
authentication, which is a security concern. Allow setting a
password on the endpoint so it isn't accessible to the world.
While this allows configuring SSL on the stats endpoint, it does
not use the service_certificate parameter because that certificate
is intended to be used only for public endpoints, and the stats
endpoint is actually on the admin VIP. Once we have support for
SSL on admin endpoints we can have stats use it by default.
Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
|
|
|
|
Some deployments were expecting specific ports for the OpenStack
services; In case the default ports are not meeting those needs, we
need to provide the means of changing the defaults.
Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
|
|
|
|
Heat has the ssl middleware to handle the X-Forwarded-Proto header by
default. We override this header when SSL is enabled because we need
to, but overriding it even when we won't be terminating SSL will
prevent some attacks using this header.
Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
|
|
Current HAproxy config is broken for Redis timeout parameters. This is what we
have today by default in HAproxy logs:
[WARNING] 238/115010 (13878) : config : missing timeouts for proxy 'redis'.
| While not properly invalid, you will certainly encounter various problems
| with such a configuration. To fix this, please ensure that all following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
This patch removes the explicit setting of client and server timeouts to 0,
which is the cause of the above warning. Instead, Redis will simply inherit the
haproxy defaults, which should be a more reasonable setting, and result in no
warnings.
Change-Id: Ibe7941bec02f5facf21732910c9ad96f547ff8e5
|
|
Right now, the only manipulation done to the X-Forwarded-Proto header
is done if an SSL connection is established. This is not sufficient as
one might be able to erroneously put values through that header.
This patch disables that behaviour by defaulting to plain http if an
SSL connection is not established.
Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
|
|
|
|
|
|
As for Heat, we need to be able to handle 30X redirects from Horizon
when configured to use SSL. Because Horizon's redirects are
handled directly by Apache, we can't use middleware to handle the
X-Forwarded-Proto header like we are planning to do for the other
services. However, in this case we don't need to worry about
rewriting urls in the payload like we do for the other services
because Horizon is just serving standard web pages, not custom
HTTP bodies with JSON contents.
One other change from the previous Heat patch is to drop the IP
from the rewrite regex. This is because Horizon will generally be
accessed via a DNS name, so the IP won't appear in the Location
header. The heat regex should probably be changed as well since
we now support registering endpoints with DNS names, but since we
plan to move all the other services to the X-Forwarded-Proto header
middleware anyway we can probably just wait until that happens and
then remove the Heat rule entirely.
Change-Id: I039a3036be17eeabe3cff68e0ef24f70907cc568
|
|
|
|
|
|
|
|
This is useful for handling URLs properly when TLS is enabled.
Change-Id: I4defed679cf3b2980dcc4ce1db030c0fdf154bfe
|
|
Change-Id: Iddf1fdaabc1c758546999e7af7e7412158400e7f
|
|
Change-Id: I3bd836140537fc5b7e3fba600a712d6a9d6f1185
|
|
Change-Id: Id5e119e0949d27a6e3b3f21ecd5e2eb39f1eeb13
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Haproxy is using session persistence[1] for horizon. It is not
correctly configured though. The cookie is not properly set. This add
the necessary code.
[1]: http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
Change-Id: Ic9d79475cf84c25fb8146ecbc5f0a45862c106f0
Closes-Bug: 1526786
|
|
Adds configuration for Trove to loadbalancer class.
Partially-implements: blueprint trove-integration
Change-Id: I3cdf43b6d63ad0ee68db047518743c62b6689f56
|
|
Adds configuration for Sahara to loadbalancer class.
Change-Id: I0f0a1dc2eaa57d8226bad8cfb250110296ab9614
Partially-implements: blueprint sahara-integration
|
|
Change-Id: Icd666d9988d14ac1e9581f55589bf95243cc7641
|
|
|
|
MidoNet API needs to be loadbalanced if the midonet environment is
activated.
Change-Id: I6f1ac659297b8cf6671e11ad23284f8f543568b0
|
|
|
|
Change-Id: I3fdb705bbac26b4bc43a18131407a0a86d36a8a5
|
|
One of the ways to make use of TLS in keystone is through the usage of
the X-Fowarded-Proto header, which will be forwarded with the request
by the loadbalancer, and it will tell keystone what protocol was used
to access it. This also requires configuration from the keystone side.
Change-Id: I9b899ba95e28b7dfae0c1ed84ca8431054673925
|
|
Add Gnocchi (OpenStack Metric storage) support in TripleO Loadbalancer config.
Change-Id: Ia991819f57616a9a11bd4dfb77893748130268a0
|
|
|
|
Add Aodh (Ceilometer Alarming) support in TripleO Loadbalancer config.
Change-Id: I891985da9248a88c6ce2df1dd186881f582605ee
|
|
Nova vnc and swift proxy were listening on the same port if SSL is
enabled in the load balancer
Change-Id: Ibf4aa118d6c8e94f8f2a68bf270d5445ebda7593
|
|
|
|
keystone and heat_cfn were listening on the same port if SSL is enabled
inm the load balancer.
Change-Id: I099119198ebf3322a783581f0c6758417e705a2e
|
|
When using websockets in HAProxy, like nova_novncproxy does, we
need to set "timeout tunnel" to avoid disconnections after a short
period without traffic.
Change-Id: I1b66cd9a1d20cbbe35a2ada5782a76a01b14bcd1
Closes-BZ: 1267043
|
|
Current HAproxy config is broken for MySQL timeout parameters.
This is what we have today by default in HAproxy logs:
--------------
[WARNING] 238/115010 (13878) : config : missing timeouts for proxy
'mysql'.
| While not properly invalid, you will certainly encounter various
problems
| with such a configuration. To fix this, please ensure that all
following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
--------------
This patch aims to:
* Use the correct parameters to configure puppetlabs-haproxy
* Update the database timeouts to higher values to prevent the
services from disconnecting too frequently by setting the Galera HAProxy
timeout to 90 minutes.
Change-Id: I06dd4bf81d4f4fd3c01bb681f6f0b3152f2b8eea
|
|
- s/manila/$manila
Change-Id: I7aaa8f83fe758484ab39af28c914fa3d78464633
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
|
|
|
|
The haproxy configuration for horizon does not have 'mode http' set.
This proxy needs to be in http mode since it is using a cookie for
persistence. The default section has 'mode tcp', which is fine, but
horizon proxy needs to override this setting to get http mode. Without
this, you will likely see an error like this:
[WARNING] 238/115010 (13878) : config : cookie will be ignored for proxy
'horizon' (needs 'mode http').'
Closes BZ-1257687
Change-Id: I397986ea022f47a33a5210696752509f4a2731a5
|
|
Currently the address of the syslog server for HAProxy is hardcoded to
/dev/log without a way to customize this setting.
This commit aims to give a user more flexibility about which syslog
server address to use.
Change-Id: If7f7c8154e544e5d8a49f79f642e1ad01644a66d
|
|
When establishing a connection from the client (Web Browser) to the
novncproxy (loadbalanced by HAproxy), we need to make sure the client
will stick on the same server the time he's connected, because HAproxy
load-balance to another novncproxy node, the client will loose the
connection and timeout like 'Connection Reset By Peer error'.
This patch aims to configure novnc HAproxy configuration to balance
using 'source' mode, so it will make sure the server remains the same
while the connection is established.
Change-Id: Ibbb7162b763f1fd2854a10a92a681910e0683c0a
Closes-BZ: 1257324
|
|
To make sure we don't use the ssl-hello-chk option set by the
puppet-haproxy module we used to redefine the listener options
for all listeners.
With this change a default for the options hash is provided to
the puppet class instead.
This change also configures use of tcpka only where wanted, as
documented by [1], removing it from the haproxy defaults section,
given it wasn't used anyway by the other listeners which were
indeed overriding options.
1. https://github.com/beekhof/osp-ha-deploy/blob/master/pcmk/lb.scenario
Change-Id: Ic8deb77533f561cea7ce7db1d20f6be5e2dc0d33
|
|
Adds bindings to the Manila service for HAProxy.
Change-Id: I175d5b7e35a781d04452fc6aee610e8dca005419
|
|
EC2 API returns 400 for unauthenticated requests, making HAProxy believe
that the service is down. We'll use TCP check instead of HTTP check for
EC2 API.
Change-Id: Ide7f9390603c9893b95cacd51d468461255dcf07
|
|
This updates some of the listener options set by loadbalancer.pp.
Iroinc needs to pass in the option to do a httpchk, otherwise
puppet-haproxy defaults it to doing a ssl-hello-chk, which won't work
against the non-ssl loadbalancer server.
Ceilometer and glance_registry both don't support a httpchk against the
root (/) of their webservers (they return a straight 401) so disable
those checks completely.
Change-Id: Ibfc81175842a748eb077b132b0818c4ea17bbcf6
|
|
The default per frontend maxconn is set to 2000, which can easily
be reached with modern hardware with multiple logic cores; this
change adds a parameter to configure the default maxconn value,
default it to 4096 and also increases the global maxconn to 20480
to preserve the 1:5 ratio.
Change-Id: I3fffc51ecc704ceccb86ca008ecba02578c29eb5
|
Ben Nemec
Jenkins
Juan Antonio Osorio Robles
Jason Guiditta
Giulio Fidente
Sofer Athlan-Guyot
Ethan Gafford
Jaume Devesa
Emilien Macchi
Javier Pena
Gael Chamoulaud
Yanis Guenane
Ryan Hefner
Jiri Stransky
James Slagle