harden haproxy TLS configuration
harden the TLS default config according to the mozilla "modern" recommendation: https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7 if you want to revert to the old settings, set: kolla_haproxy_ssl_settings: "legacy" in globals.yaml alternatively you can also set it to "intermediate" for a middle ground between security and accessibility. this also adjusts the glance and neutron tls proxy ssl settings in their dedicated haproxy config templates to use the same mechanism. also add some haproxy related docs to the TLS guide and cross reference it from the haproxy-guide. Closes-Bug: #2060787 Signed-off-by:Sven Kieske <kieske@osism.tech> Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6
Showing
- ansible/group_vars/all.yml 22 additions, 0 deletionsansible/group_vars/all.yml
- ansible/roles/glance/templates/glance-tls-proxy.cfg.j2 4 additions, 2 deletionsansible/roles/glance/templates/glance-tls-proxy.cfg.j2
- ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2 1 addition, 2 deletions.../roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2
- ansible/roles/neutron/templates/neutron-tls-proxy.cfg.j2 4 additions, 2 deletionsansible/roles/neutron/templates/neutron-tls-proxy.cfg.j2
- doc/source/admin/tls.rst 26 additions, 0 deletionsdoc/source/admin/tls.rst
- doc/source/reference/high-availability/haproxy-guide.rst 5 additions, 0 deletionsdoc/source/reference/high-availability/haproxy-guide.rst
- releasenotes/notes/harden_haproxy_tls_config-6a70503d8a124b2a.yaml 28 additions, 0 deletions...tes/notes/harden_haproxy_tls_config-6a70503d8a124b2a.yaml
Loading
Please register or sign in to comment