Fix SSL/TLS ciphers/options for HAProxy services

* implement the same SSL/TLS ciphers as for Fuel master node (disable WEAK DHE ciphers but leave TLSv1 working: LP#1497195 * remove useless dh_param options because they not needed anymore * move the ciphers list to the cluster::haproxy parameters and don't repeat this list in the several configuration files (DRY) * prepare for an upgrade and move the options list to global settings too (DRY) (TODO) * ssl_default_ciphers can be changed by end user via hiera DocImpact Change-Id: I5e5784521641ea3bbe3c4aa40c581f996b268aad Closes-Bug: #1594359 Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com> (cherry picked from commit 996058cadd)
2016-06-27 23:43:35 +03:00 · 2016-06-27 23:43:35 +03:00 · d5c3e19399
parent e283b62750
commit d5c3e19399
3 changed files with 54 additions and 49 deletions
--- a/deployment/puppet/cluster/manifests/haproxy.pp
+++ b/deployment/puppet/cluster/manifests/haproxy.pp
@ -20,10 +20,6 @@
 #   (optional) Log file location for haproxy.
 #   Defaults to '/var/log/haproxy.log'
 #
-# [*haproxy_ssl_default_dh_param*]
-#   (optional) Sets the maximum size of the Diffie-Hellman parameter.
-#   Defaults to '2048'
-#
 # [*primary_controller*]
 #   (optional) Flag to indicate if this is the primary controller
 #   Defaults to false
@ -45,18 +41,20 @@
 #   Defaults to ['127.0.0.1']
 #
 class cluster::haproxy (
-  $haproxy_maxconn              = '4000',
-  $haproxy_bufsize              = '16384',
-  $haproxy_maxrewrite           = '1024',
-  $haproxy_log_file             = '/var/log/haproxy.log',
-  $haproxy_ssl_default_dh_param = '2048',
-  $primary_controller           = false,
-  $debug                        = false,
-  $other_networks               = false,
-  $colocate_haproxy             = false,
-  $stats_ipaddresses            = ['127.0.0.1'],
-  $spread_checks                = '3',
-  $user_defined_options         = {}
+  $haproxy_maxconn      = '4000',
+  $haproxy_bufsize      = '16384',
+  $haproxy_maxrewrite   = '1024',
+  $haproxy_log_file     = '/var/log/haproxy.log',
+  $primary_controller   = false,
+  $debug                = false,
+  $other_networks       = false,
+  $colocate_haproxy     = false,
+  $stats_ipaddresses    = ['127.0.0.1'],
+  $spread_checks        = '3',
+  $user_defined_options = {},
+  $ssl_default_ciphers  = 'HIGH:!aNULL:!MD5:!kEDH',
+  #TODO(mmalchuk) use this after upgrade HAProxy to at least v1.5.7
+  #$ssl_default_options = 'no-sslv3 no-tls-tickets',
 ) {
  include ::concat::setup
  include ::haproxy::params
@ -70,17 +68,21 @@ class cluster::haproxy (
  #  and this override looks the only possible if
  #  upstream manifests must be kept intact
  $global_options   = {
-    'log'                       => '/dev/log local0',
-    'pidfile'                   => '/var/run/haproxy.pid',
-    'maxconn'                   => $haproxy_maxconn,
-    'user'                      => 'haproxy',
-    'group'                     => 'haproxy',
-    'daemon'                    => '',
-    'stats'                     => 'socket /var/lib/haproxy/stats',
-    'spread-checks'             => $spread_checks,
-    'tune.bufsize'              => $haproxy_bufsize,
-    'tune.maxrewrite'           => $haproxy_maxrewrite,
-    'tune.ssl.default-dh-param' => $haproxy_ssl_default_dh_param,
+    'log'                        => '/dev/log local0',
+    'pidfile'                    => '/var/run/haproxy.pid',
+    'maxconn'                    => $haproxy_maxconn,
+    'user'                       => 'haproxy',
+    'group'                      => 'haproxy',
+    'daemon'                     => '',
+    'stats'                      => 'socket /var/lib/haproxy/stats',
+    'spread-checks'              => $spread_checks,
+    'tune.bufsize'               => $haproxy_bufsize,
+    'tune.maxrewrite'            => $haproxy_maxrewrite,
+    'ssl-default-bind-ciphers'   => $ssl_default_ciphers,
+    'ssl-default-server-ciphers' => $ssl_default_ciphers,
+    #TODO(mmalchuk) use this after upgrade HAProxy to at least v1.5.7
+    #'ssl-default-bind-options'   => $ssl_default_options,
+    #'ssl-default-server-options' => $ssl_default_options,
  }

  $defaults_options = {
@ -106,7 +108,7 @@ class cluster::haproxy (

  $service_name = 'p_haproxy'

-  class { 'haproxy::base':
+  class { '::haproxy::base':
    global_options    => merge($global_options, $user_defined_options['global']),
    defaults_options  => merge($defaults_options, $user_defined_options['defaults']),
    stats_ipaddresses => $stats_ipaddresses,
@ -131,7 +133,7 @@ class cluster::haproxy (
    package_name => $haproxy::params::package_name,
  }

-  class { 'cluster::haproxy::rsyslog':
+  class { '::cluster::haproxy::rsyslog':
    log_file => $haproxy_log_file,
  }

@ -148,7 +150,7 @@ class cluster::haproxy (
  Service['haproxy']

  # Pacemaker
-  class { 'cluster::haproxy_ocf':
+  class { '::cluster::haproxy_ocf':
    debug            => $debug,
    other_networks   => $other_networks,
    colocate_haproxy => $colocate_haproxy,
--- a/deployment/puppet/openstack/manifests/ha/haproxy_service.pp
+++ b/deployment/puppet/openstack/manifests/ha/haproxy_service.pp
@ -97,13 +97,13 @@ define openstack::ha::haproxy_service (
  validate_bool($public)
  validate_bool($internal)

-  include openstack::ha::haproxy_restart
+  include ::openstack::ha::haproxy_restart

  if $public_ssl and !$public_ssl_path {
-    fail("You must set up path to public ssl keypair if you want to use public ssl")
+    fail('You must set up path to public ssl keypair if you want to use public ssl')
  }
  if $internal_ssl and !$internal_ssl_path {
-    fail("You must set up path to internal ssl keypair if you want to use internal ssl")
+    fail('You must set up path to internal ssl keypair if you want to use internal ssl')
  }
  if !($internal or $public) {
    fail('At least one of $public or $internal must be set to true')
@ -112,21 +112,22 @@ define openstack::ha::haproxy_service (
  if $public {
    $public_bind_address = suffix(any2array($public_virtual_ip), ":${listen_port}")
    if $public_ssl {
-      # TODO(sbog): add !SHA here as soon as all our clients will support TLS1.2
-      $public_bind = array_to_hash($public_bind_address, ['ssl', 'crt', $public_ssl_path, 'no-sslv3', 'no-tls-tickets', 'ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH'])
+      #TODO(mmalchuk) move options to the cluster::haproxy after upgrade HAProxy to at least v1.5.7
+      $public_bind = array_to_hash($public_bind_address, ['ssl', 'crt', $public_ssl_path, 'no-sslv3', 'no-tls-tickets'])
    } else {
-      $public_bind = array_to_hash($public_bind_address, "")
+      $public_bind = array_to_hash($public_bind_address, '')
    }
  } else {
    $public_bind = {}
  }
+
  if $internal {
-    $internal_bind_address = suffix(any2array($internal_virtual_ip), ":$listen_port")
+    $internal_bind_address = suffix(any2array($internal_virtual_ip), ":${listen_port}")
    if $internal_ssl {
-      # TODO(sbog): add !SHA here too as soon as all our clients will support TLS1.2
-      $internal_bind = array_to_hash($internal_bind_address, ['ssl', 'crt', $internal_ssl_path, 'no-sslv3', 'no-tls-tickets', 'ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH'])
+      #TODO(mmalchuk) move options to the cluster::haproxy after upgrade HAProxy to at least v1.5.7
+      $internal_bind = array_to_hash($internal_bind_address, ['ssl', 'crt', $internal_ssl_path, 'no-sslv3', 'no-tls-tickets'])
    } else {
-      $internal_bind = array_to_hash($internal_bind_address, "")
+      $internal_bind = array_to_hash($internal_bind_address, '')
    }
  } else {
    $internal_bind = {}
--- a/deployment/puppet/osnailyfacter/manifests/cluster_haproxy/cluster_haproxy.pp
+++ b/deployment/puppet/osnailyfacter/manifests/cluster_haproxy/cluster_haproxy.pp
@ -2,15 +2,16 @@ class osnailyfacter::cluster_haproxy::cluster_haproxy {

  notice('MODULAR: cluster_haproxy/cluster_haproxy.pp')

-  $network_scheme     = hiera_hash('network_scheme', {})
-  $management_vip     = hiera('management_vip')
-  $database_vip       = hiera('database_vip', '')
-  $service_endpoint   = hiera('service_endpoint', '')
-  $primary_controller = hiera('primary_controller')
-  $haproxy_hash       = hiera_hash('haproxy', {})
-  $external_lb        = hiera('external_lb', false)
+  $network_scheme      = hiera_hash('network_scheme', {})
+  $management_vip      = hiera('management_vip')
+  $database_vip        = hiera('database_vip', '')
+  $service_endpoint    = hiera('service_endpoint', '')
+  $primary_controller  = hiera('primary_controller')
+  $haproxy_hash        = hiera_hash('haproxy', {})
+  $external_lb         = hiera('external_lb', false)
  #FIXME(mattymo): Move colocations to a separate task
-  $colocate_haproxy   = hiera('colocate_haproxy', true)
+  $colocate_haproxy    = hiera('colocate_haproxy', true)
+  $ssl_default_ciphers = hiera('ssl_default_ciphers', 'HIGH:!aNULL:!MD5:!kEDH')

  $override_configuration = hiera_hash('configuration', {})
  $user_defined_options = $override_configuration['haproxy']
@ -26,7 +27,8 @@ class osnailyfacter::cluster_haproxy::cluster_haproxy {
      other_networks       => direct_networks($network_scheme['endpoints']),
      stats_ipaddresses    => $stats_ipaddresses,
      colocate_haproxy     => $colocate_haproxy,
-      user_defined_options => $user_defined_options
+      user_defined_options => $user_defined_options,
+      ssl_default_ciphers  => $ssl_default_ciphers,
    }
  }