Add TLS proxy resource

some services need a terminating proxy to do TLS on their main interfaces, to address this, we use httpd's mod_proxy and make it listen in front of these services with an appropriate certificate. bp tls-via-certmonger Change-Id: I82243fd3acfe4f23aab373116b78e1daf9d08467
2016-12-12 15:00:58 +02:00 · 2016-12-12 15:00:58 +02:00 · d4453c95d9
commit d4453c95d9
parent 48eef39ca3
1 changed files with 60 additions and 0 deletions
--- a/manifests/tls_proxy.pp
+++ b/manifests/tls_proxy.pp
@ -0,0 +1,60 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::tls_proxy
+#
+# Sets up a TLS proxy using mod_proxy that redirects towards localhost.
+#
+# === Parameters
+#
+# [*ip*]
+#   The IP address that the proxy will be listening on.
+#
+# [*port*]
+#   The port that the proxy will be listening on.
+#
+# [*servername*]
+#   The vhost servername that contains the FQDN to identify the virtual host.
+#
+# [*tls_cert*]
+#   The path to the TLS certificate that the proxy will be serving.
+#
+# [*tls_key*]
+#   The path to the key used for the specified certificate.
+#
+define tripleo::tls_proxy(
+  $ip,
+  $port,
+  $servername,
+  $tls_cert,
+  $tls_key,
+) {
+  ::apache::vhost { "${title}-proxy":
+    ensure          => 'present',
+    docroot         => undef,  # This is required by the manifest
+    manage_docroot  => false,
+    servername      => $servername,
+    ip              => $ip,
+    port            => $port,
+    ssl             => true,
+    ssl_cert        => $tls_cert,
+    ssl_key         => $tls_key,
+    request_headers => ['set X-Forwarded-Proto "https"'],
+    proxy_pass      => {
+      path   => '/',
+      url    => "http://localhost:${port}/",
+      params => {retry => '10'},
+    }
+  }
+}