openstack/openstack-ansible
Code Issues Proposed changes

Configure HAProxy SSL frontends with cipher suite

Browse Source 
For increased security against possible SSL attacks, configure HAProxy
SSL frontends with a cipher suite. Default to the existing
ssl_cipher_suite variable defined in user_variables.

Change-Id: Ida64765bb4ebec0bbfa118e2eeedfb36ad2bd3f8
Closes-Bug: #1498726
This commit is contained in:
Jimmy McCrory 2015-09-22 19:14:15 -07:00
parent b11ce56a41
commit e0e56f57a0
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
playbooks/roles/haproxy_server/defaults/main.yml
View File

@ -78,3 +78,4 @@ haproxy_ssl_key: /etc/ssl/private/haproxy.key
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}"

2
playbooks/roles/haproxy_server/templates/service.j2
View File

@ -1,7 +1,7 @@
# {{ ansible_managed }}
frontend {{ item.service.haproxy_service_name }}-front
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }}{% endif %}
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
{% if item.service.haproxy_balance_type == "http" %}
option httplog