From d4453c95d97eec0f45aa0db1d685935d63037fac Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Mon, 12 Dec 2016 15:00:58 +0200 Subject: [PATCH] Add TLS proxy resource some services need a terminating proxy to do TLS on their main interfaces, to address this, we use httpd's mod_proxy and make it listen in front of these services with an appropriate certificate. bp tls-via-certmonger Change-Id: I82243fd3acfe4f23aab373116b78e1daf9d08467 --- manifests/tls_proxy.pp | 60 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 manifests/tls_proxy.pp diff --git a/manifests/tls_proxy.pp b/manifests/tls_proxy.pp new file mode 100644 index 000000000..36d6b6d1c --- /dev/null +++ b/manifests/tls_proxy.pp @@ -0,0 +1,60 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::tls_proxy +# +# Sets up a TLS proxy using mod_proxy that redirects towards localhost. +# +# === Parameters +# +# [*ip*] +# The IP address that the proxy will be listening on. +# +# [*port*] +# The port that the proxy will be listening on. +# +# [*servername*] +# The vhost servername that contains the FQDN to identify the virtual host. +# +# [*tls_cert*] +# The path to the TLS certificate that the proxy will be serving. +# +# [*tls_key*] +# The path to the key used for the specified certificate. +# +define tripleo::tls_proxy( + $ip, + $port, + $servername, + $tls_cert, + $tls_key, +) { + ::apache::vhost { "${title}-proxy": + ensure => 'present', + docroot => undef, # This is required by the manifest + manage_docroot => false, + servername => $servername, + ip => $ip, + port => $port, + ssl => true, + ssl_cert => $tls_cert, + ssl_key => $tls_key, + request_headers => ['set X-Forwarded-Proto "https"'], + proxy_pass => { + path => '/', + url => "http://localhost:${port}/", + params => {retry => '10'}, + } + } +}