Configure HAProxy SSL frontends with cipher suite

For increased security against possible SSL attacks, configure HAProxy
SSL frontends with a cipher suite. Default to the existing
ssl_cipher_suite variable defined in user_variables.

Change-Id: Ida64765bb4ebec0bbfa118e2eeedfb36ad2bd3f8
Closes-Bug: #1498726
This commit is contained in:
Jimmy McCrory 2015-09-22 19:14:15 -07:00
parent b11ce56a41
commit e0e56f57a0
2 changed files with 2 additions and 1 deletions

View File

@ -78,3 +78,4 @@ haproxy_ssl_key: /etc/ssl/private/haproxy.key
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}"

View File

@ -1,7 +1,7 @@
# {{ ansible_managed }} # {{ ansible_managed }}
frontend {{ item.service.haproxy_service_name }}-front frontend {{ item.service.haproxy_service_name }}-front
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }}{% endif %} bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
{% if item.service.haproxy_balance_type == "http" %} {% if item.service.haproxy_balance_type == "http" %}
option httplog option httplog