openstack/kolla-ansible
Code Issues Proposed changes
8519ceb443
kolla-ansible/ansible/roles/haproxy/templates/haproxy_main.cfg.j2
James Kirsch b475643c11 Add support for encrypting backend Keystone HAProxy traffic 
This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.

Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network
2020-04-09 09:22:55 +00:00

54 lines
1.8 KiB
Django/Jinja
Raw Blame History

#jinja2: lstrip_blocks: True
global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
log {{ syslog_server }}:{{ syslog_udp_port }} {{ syslog_haproxy_facility }}
maxconn {{ haproxy_max_connections }}
nbproc {{ haproxy_processes }}
{% if (haproxy_processes | int > 1) and (haproxy_process_cpu_map | bool) %}
{% for cpu_idx in range(0, haproxy_processes) %}
cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}
{% endfor %}
{% endif %}
stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660
{% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}
ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
tune.ssl.default-dh-param 4096
{% endif %}
{% if kolla_enable_tls_internal | bool or kolla_enable_tls_external | bool %}
ca-base {{ haproxy_backend_cacert_dir }}
{% endif %}
defaults
log global
option redispatch
retries 3
timeout http-request {{ haproxy_http_request_timeout }}
timeout queue {{ haproxy_queue_timeout }}
timeout connect {{ haproxy_connect_timeout }}
timeout client {{ haproxy_client_timeout }}
timeout server {{ haproxy_server_timeout }}
timeout check {{ haproxy_check_timeout }}
balance {{ haproxy_defaults_balance }}
maxconn {{ haproxy_defaults_max_connections }}
listen stats
bind {{ api_interface_address }}:{{ haproxy_stats_port }}
mode http
stats enable
stats uri /
stats refresh 15s
stats realm Haproxy\ Stats
stats auth {{ haproxy_user }}:{{ haproxy_password }}
frontend status
bind {{ api_interface_address }}:{{ haproxy_monitor_port }}
{% if api_interface_address != kolla_internal_vip_address %}
bind {{ kolla_internal_vip_address }}:{{ haproxy_monitor_port }}
{% endif %}
mode http
monitor-uri /
View Git Blame Copy Permalink