Enable SSLProxyProtocol for internal backends behind TLS

In cases when internal backends are covered with TLS (ie `haproxy_ssl_all_vips` is set to True), Apache will fail to ProxyPass traffic if it needs to be encrypted. For that, SSL module should be installed and enabled as well as SSLProxyEngine should be turned on. We also introduce SSL protocol and cipher variables which will be used in the future to cover connection between HAProxy and Apache in the future, while now service the same purpose for the TLS proxy. Closes-Bug: #2077904 Change-Id: I7e7c7053cce96d774199f37c7255e70c49e2969a
2024-08-27 11:57:40 +02:00 · 2024-08-27 11:57:40 +02:00 · 93b7ef9b25
commit 93b7ef9b25
parent 60e7b4fc8a
3 changed files with 22 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -87,6 +87,15 @@ skyline_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
 skyline_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}"
 skyline_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}"

+## TLS configuration
+skyline_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
+# TLS v1.2 and below
+skyline_ssl_cipher_suite_tls12: >-
+  {{ ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}
+# TLS v1.3
+skyline_ssl_cipher_suite_tls13: >-
+  {{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}
+
 ## System User / Group
 skyline_system_user_name: skyline
 skyline_system_group_name: skyline
--- a/templates/skyline.vhost.j2
+++ b/templates/skyline.vhost.j2
@ -4,6 +4,17 @@ Listen {{ skyline_bind_address }}:{{ skyline_service_port }}
 <VirtualHost {{ skyline_bind_address }}:{{ skyline_service_port }}>
  DocumentRoot {{ skyline_lib_static_files }}

+  {% if ('https' in _endpoint_list.stdout | from_yaml | map(attribute='URL') | map('urlsplit') | map(attribute='scheme')) -%}
+  SSLProxyEngine On
+  SSLProxyProtocol {{ skyline_ssl_protocol }}
+  {%   if skyline_ssl_cipher_suite_tls12 != "" -%}
+  SSLProxyCipherSuite {{ skyline_ssl_cipher_suite_tls12 }}
+  {%   endif -%}
+  {%   if skyline_ssl_cipher_suite_tls13 != "" -%}
+  SSLProxyCipherSuite TLSv1.3 {{ skyline_ssl_cipher_suite_tls13 }}
+  {%   endif -%}
+  {% endif %}
+
  <Directory {{ skyline_lib_static_files }}>
    <FilesMatch "\.(html|css|js|jpg|jpeg|png|gif|ico|svg|eot|otf|woff|woff2|ttf)$">
      Header set Cache-Control "max-age=86400, public"
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -21,6 +21,7 @@ cache_timeout: 600
 skyline_distro_packages:
  - git
  - httpd
+  - mod_ssl

 skyline_system_service_name: httpd
 skyline_vhost_enable_path: /etc/httpd/conf.d
@ -28,6 +29,7 @@ skyline_vhost_enable_path: /etc/httpd/conf.d
 skyline_apache_default_sites:
  - "/etc/httpd/conf.d/userdir.conf"
  - "/etc/httpd/conf.d/welcome.conf"
+  - "/etc/httpd/conf.d/ssl.conf"

 skyline_apache_configs:
  - { src: "apache_ports.conf.j2", dest: "{{ skyline_vhost_enable_path }}/ports.conf", owner: "root", group: "root" }