Enable SSL termination for all services
This change makes it so that all services are expecting SSL termination at the load balancer by default. This is more indicative of how a real world deployment will be setup and is being added such that we can test a more production like deployment system by default. The AIO will now terminate SSL in HAProxy using a self-signed cert. Depends-On: I63cfecd6793ba2b28c294d939c9b1c466940cbd1 Depends-On: Iba63636d733fa1eb095564b8bf33a8159d9c2a00 Depends-On: Ib31a48dd480ecb376a6a8c5b35b09dfa5d2e58f6 Depends-On: Ibdeb8b981ca770ce4f56beeae05afd3379964859 Change-Id: Id87fab39c929e0860abbc3755ad386aa6893b151 Co-Authored-By: Logan V <logan2211@gmail.com> Signed-off-by: Logan V <logan2211@gmail.com> Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
465e8b3280
commit
e86139506d
@ -75,12 +75,12 @@ galera_monitoring_user: monitoring
|
||||
haproxy_bind_on_non_local: False
|
||||
|
||||
## haproxy SSL
|
||||
haproxy_ssl: no
|
||||
haproxy_ssl: true
|
||||
haproxy_ssl_dh_param: 2048
|
||||
haproxy_ssl_self_signed_regen: no
|
||||
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
|
||||
haproxy_ssl_key: /etc/ssl/private/haproxy.key
|
||||
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
|
||||
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
|
||||
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
||||
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
||||
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
|
||||
|
@ -18,6 +18,11 @@
|
||||
src: service.j2
|
||||
dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
|
||||
with_items: haproxy_service_configs
|
||||
when: >
|
||||
(item.service.haproxy_backend_nodes is defined and
|
||||
item.service.haproxy_backend_nodes | length > 0) or
|
||||
(item.service.haproxy_backup_nodes is defined and
|
||||
item.service.haproxy_backup_nodes | length > 0)
|
||||
notify: Restart haproxy
|
||||
tags:
|
||||
- haproxy-service-config
|
||||
|
@ -1,56 +1,116 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
frontend {{ item.service.haproxy_service_name }}-front
|
||||
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
|
||||
|
||||
{% if item.service.haproxy_balance_type == "http" %}
|
||||
option httplog
|
||||
option forwardfor except 127.0.0.0/8
|
||||
option http-server-close
|
||||
|
||||
{%- set request_option = "http" %}
|
||||
{% else %}
|
||||
option tcplog
|
||||
{%- set request_option = "tcp" %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}
|
||||
reqadd X-Forwarded-Proto:\ https
|
||||
{% endif %}
|
||||
|
||||
{% if item.service.haproxy_timeout_client is defined %}
|
||||
timeout client {{ item.service.haproxy_timeout_client }}
|
||||
{% endif %}
|
||||
|
||||
{% if item.service.haproxy_whitelist_hosts is defined and item.service.haproxy_whitelist_hosts == true %}
|
||||
acl white_list src 127.0.0.1/8 10.0.3.0/24 {{ container_cidr }}
|
||||
|
||||
{{ request_option }}-request content accept if white_list
|
||||
{{ request_option }}-request content reject
|
||||
{% endif %}
|
||||
|
||||
mode {{ item.service.haproxy_balance_type }}
|
||||
default_backend {{ item.service.haproxy_service_name }}-back
|
||||
|
||||
|
||||
{% set request_option = item.service.haproxy_balance_type | default("http") -%}
|
||||
{% if item.service.haproxy_backend_port is not defined %}
|
||||
{% set haproxy_backend_port = item.service.haproxy_port %}
|
||||
{% else %}
|
||||
{% set haproxy_backend_port = item.service.haproxy_backend_port %}
|
||||
{% endif -%}
|
||||
|
||||
{% set vip_binds = [external_lb_vip_address] -%}
|
||||
{%- if internal_lb_vip_address not in vip_binds %}
|
||||
{% set _ = vip_binds.append(internal_lb_vip_address) %}
|
||||
{% endif -%}
|
||||
|
||||
{%- if extra_lb_vip_addresses is defined %}
|
||||
{% for vip_address in extra_lb_vip_addresses %}
|
||||
{% set _ = vip_binds.append(vip_address) %}
|
||||
{% endfor %}
|
||||
{% endif -%}
|
||||
|
||||
{%- if item.service.haproxy_bind is defined %}
|
||||
{% if item.service.haproxy_bind not in vip_binds %}
|
||||
{% set _ = vip_binds.append(item.service.haproxy_bind) %}
|
||||
{% endif %}
|
||||
{% endif -%}
|
||||
|
||||
{% for vip_bind in vip_binds %}
|
||||
{% if item.service.haproxy_redirect_http_port is defined %}
|
||||
{% if (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
|
||||
|
||||
frontend {{ item.service.haproxy_service_name }}-redirect-front-{{ loop.index }}
|
||||
bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
|
||||
mode http
|
||||
redirect scheme https if !{ ssl_fc }
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
|
||||
bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
|
||||
|
||||
{% if request_option == "http" %}
|
||||
option httplog
|
||||
option forwardfor except 127.0.0.0/8
|
||||
option http-server-close
|
||||
{% elif request_option == "tcp" %}
|
||||
option tcplog
|
||||
{% endif %}
|
||||
{% if item.service.haproxy_timeout_client is defined %}
|
||||
timeout client {{ item.service.haproxy_timeout_client }}
|
||||
{% endif %}
|
||||
{% if item.service.haproxy_whitelist_networks is defined %}
|
||||
acl white_list src 127.0.0.1/8 {{ item.service.haproxy_whitelist_networks | join(' ') }}
|
||||
tcp-request content accept if white_list
|
||||
tcp-request content reject
|
||||
{% endif %}
|
||||
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
|
||||
reqadd X-Forwarded-Proto:\ https
|
||||
{% endif %}
|
||||
mode {{ item.service.haproxy_balance_type }}
|
||||
default_backend {{ item.service.haproxy_service_name }}-back
|
||||
{% endfor %}
|
||||
|
||||
{% set backend_options = item.service.haproxy_backend_options|default([]) %}
|
||||
|
||||
backend {{ item.service.haproxy_service_name }}-back
|
||||
mode {{ item.service.haproxy_balance_type }}
|
||||
balance {{ item.service.haproxy_balance_alg|default("leastconn") }}
|
||||
{% for option in item.service.haproxy_backend_options|default([]) %}
|
||||
option {{ option }}
|
||||
{% endfor %}
|
||||
{% if item.service.haproxy_timeout_server is defined %}
|
||||
timeout server {{ item.service.haproxy_timeout_server }}
|
||||
{% endif %}
|
||||
stick store-request src
|
||||
stick-table type ip size 256k expire 30m
|
||||
{% if request_option == "http" %}
|
||||
option forwardfor
|
||||
option httplog
|
||||
{% elif request_option == "tcp" %}
|
||||
option tcplog
|
||||
{% endif %}
|
||||
{% for option in backend_options %}
|
||||
option {{ option }}
|
||||
{% endfor %}
|
||||
|
||||
{% for host_name in item.service.haproxy_backend_nodes %}
|
||||
server {{ host_name }} {{ hostvars[host_name]['ansible_ssh_host'] }}:{{ haproxy_backend_port }} check port {{ haproxy_backend_port }} inter {{ haproxy_interval }} rise {{ item.service.haproxy_backend_nodes|count }} fall {{ item.service.haproxy_backend_nodes|count }}
|
||||
{% set entry = [] %}
|
||||
{% set _ = entry.append("server") %}
|
||||
{% set _ = entry.append(host_name | string) %}
|
||||
{% set _ = entry.append(hostvars[host_name]['ansible_ssh_host'] + ":" + haproxy_backend_port | string) %}
|
||||
{% set _ = entry.append("check") %}
|
||||
{% set _ = entry.append("port") %}
|
||||
{% set _ = entry.append(haproxy_backend_port | string) %}
|
||||
{% set _ = entry.append("inter") %}
|
||||
{% set _ = entry.append(haproxy_interval | string) %}
|
||||
{% set _ = entry.append("rise") %}
|
||||
{% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
|
||||
{% set _ = entry.append("fall") %}
|
||||
{% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
|
||||
{{ entry | join(' ') }}
|
||||
{% endfor %}
|
||||
|
||||
{% for host_name in item.service.haproxy_backup_nodes|default([]) %}
|
||||
server {{ host_name }} {{ hostvars[host_name]['ansible_ssh_host'] }}:{{ haproxy_backend_port }} check port {{ haproxy_backend_port }} inter {{ haproxy_interval }} rise {{ item.service.haproxy_backend_nodes|count }} fall {{ item.service.haproxy_backend_nodes|count }} backup
|
||||
{% set entry = [] %}
|
||||
{% set _ = entry.append("server") %}
|
||||
{% set _ = entry.append(host_name | string) %}
|
||||
{% set _ = entry.append(hostvars[host_name]['ansible_ssh_host'] + ":" + haproxy_backend_port | string) %}
|
||||
{% set _ = entry.append("check") %}
|
||||
{% set _ = entry.append("port") %}
|
||||
{% set _ = entry.append(haproxy_backend_port | string) %}
|
||||
{% set _ = entry.append("inter") %}
|
||||
{% set _ = entry.append(haproxy_interval | string) %}
|
||||
{% set _ = entry.append("rise") %}
|
||||
{% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %}
|
||||
{% set _ = entry.append("fall") %}
|
||||
{% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %}
|
||||
{% set _ = entry.append("backup") %}
|
||||
{{ entry | join(' ') }}
|
||||
{% endfor %}
|
||||
|
Loading…
x
Reference in New Issue
Block a user