b13fa5a92c
harden the TLS default config according to the mozilla "modern" recommendation: https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7 if you want to revert to the old settings, set: kolla_haproxy_ssl_settings: "legacy" in globals.yaml alternatively you can also set it to "intermediate" for a middle ground between security and accessibility. this also adjusts the glance and neutron tls proxy ssl settings in their dedicated haproxy config templates to use the same mechanism. also add some haproxy related docs to the TLS guide and cross reference it from the haproxy-guide. Closes-Bug: #2060787 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6
29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Harden the HAProxy TLS default configuration according to the mozilla
|
|
``modern`` recommendation:
|
|
|
|
`<https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7>`__
|
|
|
|
If you want to revert back to the old behaviour, e.g. because
|
|
you have old clients, you can do so by setting the following
|
|
variable in your globals.yml:
|
|
|
|
``kolla_haproxy_ssl_settings: legacy`` or if you want to have
|
|
at least some improved security settings:
|
|
``kolla_haproxy_ssl_settings: intermediate``
|
|
|
|
See `LP#2060787 <https://bugs.launchpad.net/kolla-ansible/+bug/2060787>`__
|
|
upgrade:
|
|
- |
|
|
If you have old clients that do not support the new TLS settings,
|
|
you can revert back to the old behaviour by setting the following
|
|
variable in your globals.yml:
|
|
|
|
``kolla_haproxy_ssl_settings: legacy`` or if you want to have
|
|
at least some improved security settings:
|
|
``kolla_haproxy_ssl_settings: intermediate``
|
|
|
|
See `LP#2060787 <https://bugs.launchpad.net/kolla-ansible/+bug/2060787>`__
|