Commits · 5543cb72d2c2709bab531f6f07ef3dc7827de937 · Very Demiurge Very Mindful / Kolla Ansible

Aug 30, 2024

harden haproxy TLS configuration · b13fa5a9

Sven Kieske authored 11 months ago

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

b13fa5a9

Apr 22, 2024

CI: Add codespell to pep8 · 44820945

Michal Nasiadka authored 11 months ago

Fix existing spelling errors

Change-Id: Ie689cf5a344aaa630a4860448b09242333a8e119

44820945

Sep 25, 2023

[haproxy] Adds http/2 support to HAProxy · f64c86de

Dincer Celik authored 5 years ago

This change introduces haproxy_enable_http2 to let operators enable
http/2 on HAProxy frontends when kolla_enable_tls_external is enabled.

Change-Id: I2e00d3e9193a3052d43a228915ea249794490afe
Closes-Bug: #1850924

f64c86de

Jun 28, 2023

haproxy: support single external frontend · 4bc410c6

Michal Nasiadka authored 3 years ago

Use case: exposing single external https frontend and
load balancing services using FQDNs.

Support different ports for internal and external endpoints.

Introduced kolla_url filter to normalize urls like:
- https://magnum.external:443/v1
- http://magnum.external:80/v1



Change-Id: I9fb03fe1cebce5c7198d523e015280c69f139cd0
Co-Authored-By: Jakub Darmach <jakub@stackhpc.com>

4bc410c6

Sep 26, 2021

Add way to change weight of haproxy backend per service · 7c2b4bea

Michal Arbet authored 4 years ago

This patch adding option to control weight of haproxy
backends per service via host variable.

Example:

[control]
server1 haproxy_nova_api_weight=10
server2 haproxy_nova_api_weight=2 haproxy_keystone_internal_weight=10
server3 haproxy_keystone_admin_weight=50

If weight is not defined, everything is working as before.

Change-Id: Ie8cc228198651c57f8ffe3eb060875e45d1f0700

7c2b4bea

Sep 16, 2021

Remove haproxy,keepalived groups · f0241f80

Michal Arbet authored 3 years ago

Haproxy was renamed in [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/770618

Change-Id: Ib2d7f0774fede570a8c4c315d83afd420c31da0b

f0241f80

Jun 23, 2021

Allow user to set sysctl_net_ipv4_tcp_retries2 · 09d0409e

Michal Arbet authored 4 years ago

This patch is adding configuration option to
manipulate with kernel option sysctl_net_ipv4_tcp_retries2.

More informations about kernel option in [1][2]
and RedHat suggestion [3] to set for DBs and HA.

[1]: https://pracucci.com/linux-tcp-rto-min-max-and-tcp-retries2.html
[2]: https://blog.cloudflare.com/when-tcp-sockets-refuse-to-die/
[3]: https://access.redhat.com/solutions/726753

Closes-Bug: #1917068
Change-Id: Ia0decbbfa4e33b1889b635f8bb1c9094567a2ce6

09d0409e