kolla-ansible

History

Sven Kieske b13fa5a92c harden haproxy TLS configuration harden the TLS default config according to the mozilla "modern" recommendation: https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7 if you want to revert to the old settings, set: kolla_haproxy_ssl_settings: "legacy" in globals.yaml alternatively you can also set it to "intermediate" for a middle ground between security and accessibility. this also adjusts the glance and neutron tls proxy ssl settings in their dedicated haproxy config templates to use the same mechanism. also add some haproxy related docs to the TLS guide and cross reference it from the haproxy-guide. Closes-Bug: #2060787 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6	2024-08-30 14:54:25 +02:00
..
haproxy-guide.rst	harden haproxy TLS configuration	2024-08-30 14:54:25 +02:00
index.rst	Allow user to set sysctl_net_ipv4_tcp_retries2	2021-06-23 10:34:12 +00:00

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7

if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

2024-08-30 14:54:25 +02:00

haproxy-guide.rst

harden haproxy TLS configuration

2024-08-30 14:54:25 +02:00

index.rst

Allow user to set sysctl_net_ipv4_tcp_retries2

2021-06-23 10:34:12 +00:00