Generate self-signed SSL per listen IP
We're providing an option to have an IP address per VIP address. Currently it's used only for creating self-signed SSLs signed with internal CA per each VIP. With follow-up patches that will also allow to provide user certificates per VIP, making possible to cover internal and external endpoints with different non-wildcard certs. Change-Id: I0a9eb7689eb42b50daf5c94c874bb7429b271efe
This commit is contained in:
Dmitriy Rabotyagov
committed by
Amy Marrich
parent
f058cf8d61
commit
f14ba91798
9 changed files with 112 additions and 84 deletions
@@ -40,7 +40,7 @@ defaults
{% if haproxy_stats_enabled | bool %}
listen stats
bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
{% if haproxy_stats_process is defined %}
bind-process {{ haproxy_stats_process }}
@@ -12,22 +12,11 @@
{% set haproxy_check_port = item.service.haproxy_check_port %}
{% endif -%}
{% set vip_binds = [haproxy_bind_external_lb_vip_address] -%}
{%- if haproxy_bind_internal_lb_vip_address not in vip_binds %}
{% set _ = vip_binds.append(haproxy_bind_internal_lb_vip_address) %}
{% endif -%}
{% for vip_address in extra_lb_vip_addresses %}
{% set _ = vip_binds.append(vip_address) %}
{% endfor %}
{% for vip_address in extra_lb_tls_vip_addresses %}
{% set _ = vip_binds.append(vip_address) %}
{% endfor %}
{%- if item.service.haproxy_bind is defined %}
{% set vip_binds = item.service.haproxy_bind %}
{% endif -%}
{% if item.service.haproxy_bind is defined %}
{% set vip_binds = item.service.haproxy_bind %}
{% else %}
{% set vip_binds = _haproxy_tls_vip_binds + extra_lb_vip_addresses %}
{% endif %}
{% if not item.service.haproxy_backend_only | default(false) %}
{% for vip_bind in vip_binds %}
@@ -48,7 +37,7 @@ bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
{% endif %}
frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or item.service.haproxy_ssl_all_vips | default(false) | bool) %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
{% if request_option == "http" %}
option httplog
@@ -75,7 +64,7 @@ frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
{% endif %}
{% endfor %}
{% endif %}
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}
http-request add-header X-Forwarded-Proto https
{% endif %}
mode {{ item.service.haproxy_balance_type }}
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.