From c372d01a9427d65ae44063adf68c78748770eac4 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 18 Apr 2017 14:49:09 +0300
Subject: Haproxy: When using TLS everywhere, use verifyhost for the
 balancermembers

This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.

Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
---
 manifests/haproxy.pp | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'manifests/haproxy.pp')

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a6bd1eb..d497056 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -718,6 +718,9 @@ class tripleo::haproxy (
 
   if $enable_internal_tls {
     $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    Haproxy::Balancermember {
+      verifyhost => true
+    }
   } else {
     $internal_tls_member_options = []
   }
-- 
cgit 1.2.3-korg