From e0e56f57a0a54450038f6ff42ba3fcbf60d046d3 Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Tue, 22 Sep 2015 19:14:15 -0700 Subject: [PATCH] Configure HAProxy SSL frontends with cipher suite For increased security against possible SSL attacks, configure HAProxy SSL frontends with a cipher suite. Default to the existing ssl_cipher_suite variable defined in user_variables. Change-Id: Ida64765bb4ebec0bbfa118e2eeedfb36ad2bd3f8 Closes-Bug: #1498726 --- playbooks/roles/haproxy_server/defaults/main.yml | 1 + playbooks/roles/haproxy_server/templates/service.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/playbooks/roles/haproxy_server/defaults/main.yml b/playbooks/roles/haproxy_server/defaults/main.yml index 2887e69508..8966039959 100644 --- a/playbooks/roles/haproxy_server/defaults/main.yml +++ b/playbooks/roles/haproxy_server/defaults/main.yml @@ -78,3 +78,4 @@ haproxy_ssl_key: /etc/ssl/private/haproxy.key haproxy_ssl_pem: /etc/ssl/private/haproxy.pem haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" +haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}" diff --git a/playbooks/roles/haproxy_server/templates/service.j2 b/playbooks/roles/haproxy_server/templates/service.j2 index 63dffb9f84..46da61c2d5 100644 --- a/playbooks/roles/haproxy_server/templates/service.j2 +++ b/playbooks/roles/haproxy_server/templates/service.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} frontend {{ item.service.haproxy_service_name }}-front -bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }}{% endif %} +bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %} {% if item.service.haproxy_balance_type == "http" %} option httplog