haproxy ssl

78b62415 · Temur Maisuradze · 109399d7 · 78b62415 · 78b62415 · 78b62415
Commit 78b62415 authored 4 years ago by Temur Maisuradze
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -18,6 +18,7 @@ haproxy_name: "dsoclab-haproxy"
 haproxy_version: "2.2"
 haproxy_img: "{{repo}}/haproxy:{{version}}{{suffix}}"
 HAPROXY_PROCESSES: "2"
+HAPROXY_STATS_PASS: "eiph2Eepaizicheelah3tei+bae3ohgh"
 temp_root: "/tmp/centosbuild"

--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -43,6 +43,7 @@
    - "{{ groups['odfeescontainers'] }}"
    - "{{ groups['odfekibanacontainers'] }}"
    - "{{ groups['keycloakcontainers'] }}"
+    - "{{ groups['haproxy'] }}"
  environment:
    EASYRSA_BATCH: 1
    EASYRSA_PKI: roles/ca/files/CA
@@ -59,6 +60,7 @@
    - "{{ groups['odfeescontainers'] }}"
    - "{{ groups['odfekibanacontainers'] }}"
    - "{{ groups['keycloakcontainers'] }}"
+    - "{{ groups['haproxy'] }}"
  environment:
    EASYRSA_BATCH: 1
    EASYRSA_PKI: roles/ca/files/CA
@@ -130,6 +132,20 @@
  with_items:
    - "{{ groups['odfekibanacontainers'] }}"
+- name: Copy haproxy host cert to haproxy role
+  copy:
+    src: roles/ca/files/CA/issued/{{item}}.crt
+    dest: roles/haproxy/files/{{item}}.crt
+  with_items:
+    - "{{ groups['haproxy'] }}"
+- name: Copy haproxy host key to haproxy role
+  copy:
+    src: roles/ca/files/CA/private/{{item}}.key
+    dest: roles/haproxy/files/{{item}}.key
+  with_items:
+    - "{{ groups['haproxy'] }}"
 - name: Copy keycloak host certs to keycloak role
  copy:
    src: roles/ca/files/CA/issued/{{item}}.crt

--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -8,6 +8,55 @@
  tags:
    - start
+- name: Create required directories
+  file:
+   path: "{{ item }}"
+   state: directory
+   mode: 0755
+   owner: root
+   group: root
+  with_items:
+  - /opt/haproxy
+  - /etc/ssl/haproxy
+  tags:
+    - start
+- name: Generate dhparam file for haproxy
+  shell: "openssl dhparam -out /usr/local/etc/haproxy/dhparam.pem 2048"
+  tags:
+    - start
+- name: Copy haproxy certificates
+  copy:
+    src:  "{{ item }}"
+    dest: "/opt/haproxy/{{ item }}"
+    mode: 0600
+  with_items:
+    - "{{ inventory_hostname }}.crt"
+    - "{{ inventory_hostname }}.key"
+  tags:
+    - start
+- name: Combine crt and key for haproxy
+  assemble:
+    src: /opt/haproxy
+    dest: /etc/ssl/haproxy/{{ inventory_hostname }}.crt
+    owner: root
+    mode: 0600
+  tags:
+    - start
+- name: Delete temporary files and directory
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /opt/haproxy/{{ inventory_hostname }}.crt
+    - /opt/haproxy/{{ inventory_hostname }}.key
+    - /opt/haproxy
+  tags:
+    - start
 - name: Start haproxy
  shell: "daemonize -c / -p /haproxy.pid /usr/local/sbin/haproxy -f /usr/local/etc/haproxy/haproxy.cfg"
  tags:

--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -2,6 +2,11 @@ global
  #quiet
  log stdout format raw local0
  nbproc {{ HAPROXY_PROCESSES }}
+  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  ssl-dh-param-file /usr/local/etc/haproxy/dhparam.pem
 defaults
  mode http
@@ -17,22 +22,22 @@ listen stats
        stats hide-version
        stats uri     /
        stats realm   HAProxy Statistics
-        stats auth    haproxy:eiph2Eepaizicheelah3tei+bae3ohgh
+        stats auth    haproxy:{{ HAPROXY_STATS_PASS }}
 listen nifiserv
-	bind *:9443
+	bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
-	mode tcp
+	mode http
 	maxconn 5000
 	fullconn 5000
 	balance source
 	option tcpka
 {% for nifihost in groups['nificontainers'] %}
-	server {{nifihost}} {{nifihost}}:9443 check
+	server {{nifihost}} {{nifihost}}:9443 ssl check verify none
 {% endfor %}
 listen odfeserv
        bind *:9200
-        mode tcp
+        mode http
        maxconn 5000
        fullconn 5000
        balance source
@@ -42,7 +47,7 @@ listen odfeserv
 {% endfor %}
 listen keycloakserv
-        bind *:10443
+        bind *:10443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
        mode http
        maxconn 5000
        fullconn 5000