From e86139506d87e0c797f2449835dd5418571fde8f Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Thu, 14 Apr 2016 15:42:13 -0500 Subject: [PATCH] Enable SSL termination for all services This change makes it so that all services are expecting SSL termination at the load balancer by default. This is more indicative of how a real world deployment will be setup and is being added such that we can test a more production like deployment system by default. The AIO will now terminate SSL in HAProxy using a self-signed cert. Depends-On: I63cfecd6793ba2b28c294d939c9b1c466940cbd1 Depends-On: Iba63636d733fa1eb095564b8bf33a8159d9c2a00 Depends-On: Ib31a48dd480ecb376a6a8c5b35b09dfa5d2e58f6 Depends-On: Ibdeb8b981ca770ce4f56beeae05afd3379964859 Change-Id: Id87fab39c929e0860abbc3755ad386aa6893b151 Co-Authored-By: Logan V Signed-off-by: Logan V Signed-off-by: Kevin Carter --- defaults/main.yml | 4 +- tasks/haproxy_service_config.yml | 5 ++ templates/service.j2 | 136 ++++++++++++++++++++++--------- 3 files changed, 105 insertions(+), 40 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e771157..749dc05 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -75,12 +75,12 @@ galera_monitoring_user: monitoring haproxy_bind_on_non_local: False ## haproxy SSL -haproxy_ssl: no +haproxy_ssl: true haproxy_ssl_dh_param: 2048 haproxy_ssl_self_signed_regen: no haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert haproxy_ssl_key: /etc/ssl/private/haproxy.key haproxy_ssl_pem: /etc/ssl/private/haproxy.pem haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem -haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" +haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}" diff --git a/tasks/haproxy_service_config.yml b/tasks/haproxy_service_config.yml index c0c8e7f..2041838 100644 --- a/tasks/haproxy_service_config.yml +++ b/tasks/haproxy_service_config.yml @@ -18,6 +18,11 @@ src: service.j2 dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}" with_items: haproxy_service_configs + when: > + (item.service.haproxy_backend_nodes is defined and + item.service.haproxy_backend_nodes | length > 0) or + (item.service.haproxy_backup_nodes is defined and + item.service.haproxy_backup_nodes | length > 0) notify: Restart haproxy tags: - haproxy-service-config diff --git a/templates/service.j2 b/templates/service.j2 index 46da61c..86e5e3d 100644 --- a/templates/service.j2 +++ b/templates/service.j2 @@ -1,56 +1,116 @@ # {{ ansible_managed }} -frontend {{ item.service.haproxy_service_name }}-front -bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %} - -{% if item.service.haproxy_balance_type == "http" %} - option httplog - option forwardfor except 127.0.0.0/8 - option http-server-close - - {%- set request_option = "http" %} -{% else %} - option tcplog - {%- set request_option = "tcp" %} -{% endif %} - -{% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %} - reqadd X-Forwarded-Proto:\ https -{% endif %} - -{% if item.service.haproxy_timeout_client is defined %} - timeout client {{ item.service.haproxy_timeout_client }} -{% endif %} - -{% if item.service.haproxy_whitelist_hosts is defined and item.service.haproxy_whitelist_hosts == true %} - acl white_list src 127.0.0.1/8 10.0.3.0/24 {{ container_cidr }} - - {{ request_option }}-request content accept if white_list - {{ request_option }}-request content reject -{% endif %} - - mode {{ item.service.haproxy_balance_type }} - default_backend {{ item.service.haproxy_service_name }}-back - - +{% set request_option = item.service.haproxy_balance_type | default("http") -%} {% if item.service.haproxy_backend_port is not defined %} {% set haproxy_backend_port = item.service.haproxy_port %} {% else %} {% set haproxy_backend_port = item.service.haproxy_backend_port %} +{% endif -%} + +{% set vip_binds = [external_lb_vip_address] -%} +{%- if internal_lb_vip_address not in vip_binds %} + {% set _ = vip_binds.append(internal_lb_vip_address) %} +{% endif -%} + +{%- if extra_lb_vip_addresses is defined %} +{% for vip_address in extra_lb_vip_addresses %} + {% set _ = vip_binds.append(vip_address) %} +{% endfor %} +{% endif -%} + +{%- if item.service.haproxy_bind is defined %} + {% if item.service.haproxy_bind not in vip_binds %} + {% set _ = vip_binds.append(item.service.haproxy_bind) %} + {% endif %} +{% endif -%} + +{% for vip_bind in vip_binds %} +{% if item.service.haproxy_redirect_http_port is defined %} +{% if (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %} + +frontend {{ item.service.haproxy_service_name }}-redirect-front-{{ loop.index }} +bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }} + mode http + redirect scheme https if !{ ssl_fc } {% endif %} +{% endif %} + +frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }} + bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %} + +{% if request_option == "http" %} + option httplog + option forwardfor except 127.0.0.0/8 + option http-server-close +{% elif request_option == "tcp" %} + option tcplog +{% endif %} +{% if item.service.haproxy_timeout_client is defined %} + timeout client {{ item.service.haproxy_timeout_client }} +{% endif %} +{% if item.service.haproxy_whitelist_networks is defined %} + acl white_list src 127.0.0.1/8 {{ item.service.haproxy_whitelist_networks | join(' ') }} + tcp-request content accept if white_list + tcp-request content reject +{% endif %} +{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %} + reqadd X-Forwarded-Proto:\ https +{% endif %} + mode {{ item.service.haproxy_balance_type }} + default_backend {{ item.service.haproxy_service_name }}-back +{% endfor %} + +{% set backend_options = item.service.haproxy_backend_options|default([]) %} backend {{ item.service.haproxy_service_name }}-back mode {{ item.service.haproxy_balance_type }} balance {{ item.service.haproxy_balance_alg|default("leastconn") }} -{% for option in item.service.haproxy_backend_options|default([]) %} - option {{ option }} -{% endfor %} {% if item.service.haproxy_timeout_server is defined %} timeout server {{ item.service.haproxy_timeout_server }} {% endif %} + stick store-request src + stick-table type ip size 256k expire 30m +{% if request_option == "http" %} + option forwardfor + option httplog +{% elif request_option == "tcp" %} + option tcplog +{% endif %} +{% for option in backend_options %} + option {{ option }} +{% endfor %} + {% for host_name in item.service.haproxy_backend_nodes %} - server {{ host_name }} {{ hostvars[host_name]['ansible_ssh_host'] }}:{{ haproxy_backend_port }} check port {{ haproxy_backend_port }} inter {{ haproxy_interval }} rise {{ item.service.haproxy_backend_nodes|count }} fall {{ item.service.haproxy_backend_nodes|count }} +{% set entry = [] %} +{% set _ = entry.append("server") %} +{% set _ = entry.append(host_name | string) %} +{% set _ = entry.append(hostvars[host_name]['ansible_ssh_host'] + ":" + haproxy_backend_port | string) %} +{% set _ = entry.append("check") %} +{% set _ = entry.append("port") %} +{% set _ = entry.append(haproxy_backend_port | string) %} +{% set _ = entry.append("inter") %} +{% set _ = entry.append(haproxy_interval | string) %} +{% set _ = entry.append("rise") %} +{% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %} +{% set _ = entry.append("fall") %} +{% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %} + {{ entry | join(' ') }} {% endfor %} + {% for host_name in item.service.haproxy_backup_nodes|default([]) %} - server {{ host_name }} {{ hostvars[host_name]['ansible_ssh_host'] }}:{{ haproxy_backend_port }} check port {{ haproxy_backend_port }} inter {{ haproxy_interval }} rise {{ item.service.haproxy_backend_nodes|count }} fall {{ item.service.haproxy_backend_nodes|count }} backup +{% set entry = [] %} +{% set _ = entry.append("server") %} +{% set _ = entry.append(host_name | string) %} +{% set _ = entry.append(hostvars[host_name]['ansible_ssh_host'] + ":" + haproxy_backend_port | string) %} +{% set _ = entry.append("check") %} +{% set _ = entry.append("port") %} +{% set _ = entry.append(haproxy_backend_port | string) %} +{% set _ = entry.append("inter") %} +{% set _ = entry.append(haproxy_interval | string) %} +{% set _ = entry.append("rise") %} +{% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %} +{% set _ = entry.append("fall") %} +{% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %} +{% set _ = entry.append("backup") %} + {{ entry | join(' ') }} {% endfor %}