From c9c6aa292be073477a3bccfeae3d56b1bb5794c7 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Evrard Date: Thu, 17 Sep 2015 16:23:47 +0200 Subject: [PATCH] Changed the Diffie Hellman parameter maximum size This introduces the variable haproxy_ssl_dh_param It sets the maximum size of the DH parameters used for generating key in DHE key exchange. Higher values increase CPU load but is more secure. This value is ignored if static DH params are given in cert file. Change-Id: Idca02a8337fa3790ddfb849d9e2e87d60076c399 --- playbooks/roles/haproxy_server/defaults/main.yml | 1 + playbooks/roles/haproxy_server/templates/haproxy.cfg.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/playbooks/roles/haproxy_server/defaults/main.yml b/playbooks/roles/haproxy_server/defaults/main.yml index cf1f6fb16f..2887e69508 100644 --- a/playbooks/roles/haproxy_server/defaults/main.yml +++ b/playbooks/roles/haproxy_server/defaults/main.yml @@ -71,6 +71,7 @@ haproxy_bind_on_non_local: False ## haproxy SSL haproxy_ssl: no +haproxy_ssl_dh_param: 2048 haproxy_ssl_self_signed_regen: no haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert haproxy_ssl_key: /etc/ssl/private/haproxy.key diff --git a/playbooks/roles/haproxy_server/templates/haproxy.cfg.j2 b/playbooks/roles/haproxy_server/templates/haproxy.cfg.j2 index 9f007ec0b0..f0c6fbad6d 100644 --- a/playbooks/roles/haproxy_server/templates/haproxy.cfg.j2 +++ b/playbooks/roles/haproxy_server/templates/haproxy.cfg.j2 @@ -10,6 +10,7 @@ global maxconn 4096 tune.bufsize 384000 stats socket /var/run/haproxy.stat level admin mode 600 + {% if haproxy_ssl | bool %}tune.ssl.default-dh-param {{haproxy_ssl_dh_param}}{% endif %} defaults log global