openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes

Merge "Generate self-signed SSL per listen IP"

Browse Source
This commit is contained in:
Zuul
2021-06-25 17:21:17 +00:00
committed by Gerrit Code Review
parent 3139772435 f14ba91798
commit 1dc4fa621c
9 changed files with 112 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
templates/haproxy.cfg.j2
View File

@@ -40,7 +40,7 @@ defaults
{% if haproxy_stats_enabled | bool %}
listen stats
bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
{% if haproxy_stats_process is defined %}
bind-process {{ haproxy_stats_process }}

25
templates/service.j2
View File

@@ -12,22 +12,11 @@
{% set haproxy_check_port = item.service.haproxy_check_port %}
{% endif -%}
{% set vip_binds = [haproxy_bind_external_lb_vip_address] -%}
{%- if haproxy_bind_internal_lb_vip_address not in vip_binds %}
{% set _ = vip_binds.append(haproxy_bind_internal_lb_vip_address) %}
{% endif -%}
{% for vip_address in extra_lb_vip_addresses %}
{% set _ = vip_binds.append(vip_address) %}
{% endfor %}
{% for vip_address in extra_lb_tls_vip_addresses %}
{% set _ = vip_binds.append(vip_address) %}
{% endfor %}
{%- if item.service.haproxy_bind is defined %}
{% set vip_binds = item.service.haproxy_bind %}
{% endif -%}
{% if item.service.haproxy_bind is defined %}
{% set vip_binds = item.service.haproxy_bind %}
{% else %}
{% set vip_binds = _haproxy_tls_vip_binds + extra_lb_vip_addresses %}
{% endif %}
{% if not item.service.haproxy_backend_only | default(false) %}
{% for vip_bind in vip_binds %}
@@ -48,7 +37,7 @@ bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
{% endif %}
frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or item.service.haproxy_ssl_all_vips | default(false) | bool) %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
{% if request_option == "http" %}
option httplog
@@ -75,7 +64,7 @@ frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
{% endif %}
{% endfor %}
{% endif %}
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}
http-request add-header X-Forwarded-Proto https
{% endif %}
mode {{ item.service.haproxy_balance_type }}