Add option for HAproxy to act a SSL frontend termination point for loadbalanced RGW...

author Stanley Lam <stanleylam_604@hotmail.com>

Thu, 21 Nov 2019 22:40:51 +0000 (14:40 -0800)

committer Dimitri Savineau <savineau.dimitri@gmail.com>

Mon, 3 Feb 2020 14:32:43 +0000 (09:32 -0500)
author Stanley Lam <stanleylam_604@hotmail.com>
Thu, 21 Nov 2019 22:40:51 +0000 (14:40 -0800)
committer Dimitri Savineau <savineau.dimitri@gmail.com>
Mon, 3 Feb 2020 14:32:43 +0000 (09:32 -0500)
diff --git a/group_vars/rgwloadbalancers.yml.sample b/group_vars/rgwloadbalancers.yml.sample

index 05e9e573be6977455fe901e04aa15d5b37f34a37..a026c939ddef02f93556309e49e409e0fd4631c4 100644 (file)
--- a/group_vars/rgwloadbalancers.yml.sample
+++ b/group_vars/rgwloadbalancers.yml.sample
@@ -14,6 +14,17 @@ dummy:
  ###########
  
  #haproxy_frontend_port: 80
+#haproxy_frontend_ssl_port: 443
+#haproxy_frontend_ssl_certificate:
+#haproxy_ssl_dh_param: 4096
+#haproxy_ssl_ciphers:
+#  - EECDH+AESGCM
+#  - EDH+AESGCM
+#haproxy_ssl_options:
+#  - no-sslv3
+#  - no-tlsv10
+#  - no-tlsv11
+#  - no-tls-tickets
  #
  #virtual_ips:
  #   - 192.168.238.250
diff --git a/roles/ceph-rgw-loadbalancer/defaults/main.yml b/roles/ceph-rgw-loadbalancer/defaults/main.yml

index 69370c2bc91f161c8bc79eb0c5b2c622574adb0b..3db54395ca4edcca2a855d0be1dbb3a4af00f795 100644 (file)
--- a/roles/ceph-rgw-loadbalancer/defaults/main.yml
+++ b/roles/ceph-rgw-loadbalancer/defaults/main.yml
@@ -6,6 +6,17 @@
  ###########
  
  haproxy_frontend_port: 80
+haproxy_frontend_ssl_port: 443
+haproxy_frontend_ssl_certificate:
+haproxy_ssl_dh_param: 4096
+haproxy_ssl_ciphers:
+  - EECDH+AESGCM
+  - EDH+AESGCM
+haproxy_ssl_options:
+  - no-sslv3
+  - no-tlsv10
+  - no-tlsv11
+  - no-tls-tickets
  #
  #virtual_ips:
  #   - 192.168.238.250
diff --git a/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2 b/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2

index 31fc3dd30c1518afa41c6525156a35ad2371b1bd..c7c08b7262556d6ee2fab6d1cb3dbea565a54a1c 100644 (file)
--- a/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2
+++ b/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2
@@ -9,7 +9,11 @@ global
      group       haproxy
      daemon
      stats socket /var/lib/haproxy/stats
-
+{%- if haproxy_frontend_ssl_certificate %}
+    tune.ssl.default-dh-param {{ haproxy_ssl_dh_param }}
+    ssl-default-bind-ciphers {{ haproxy_ssl_ciphers | join(':') }}
+    ssl-default-bind-options {{ haproxy_ssl_options | join(' ') }}
+{% endif %}
  defaults
      mode                    http
      log                     global
@@ -29,7 +33,11 @@ defaults
      maxconn                 8000
  
  frontend rgw-frontend
+{% if haproxy_frontend_ssl_certificate %}
+    bind *:{{ haproxy_frontend_ssl_port }} ssl crt {{ haproxy_frontend_ssl_certificate }}
+{% else %}
      bind *:{{ haproxy_frontend_port }}
+{% endif %}
      default_backend rgw-backend
  
  backend rgw-backend
author	Stanley Lam <stanleylam_604@hotmail.com>
	Thu, 21 Nov 2019 22:40:51 +0000 (14:40 -0800)
committer	Dimitri Savineau <savineau.dimitri@gmail.com>
	Mon, 3 Feb 2020 14:32:43 +0000 (09:32 -0500)
group_vars/rgwloadbalancers.yml.sample		patch \| blob \| history
roles/ceph-rgw-loadbalancer/defaults/main.yml		patch \| blob \| history
roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2		patch \| blob \| history