Add SSL support
diff --git a/README.rst b/README.rst
index d25f804..61c26f1 100644
--- a/README.rst
+++ b/README.rst
@@ -232,6 +232,11 @@
binds:
- address: ${_param:cluster_vip_address}
port: 8082
+ ssl:
+ enabled: true
+ # This PEM file needs to contain key, cert, CA and possibly
+ # intermediate certificates
+ pem_file: /etc/haproxy/ssl/server.pem
servers:
- name: ${_param:cluster_node01_name}
host: ${_param:cluster_node01_address}
diff --git a/haproxy/files/haproxy.cfg b/haproxy/files/haproxy.cfg
index 9bfdea2..c058232 100644
--- a/haproxy/files/haproxy.cfg
+++ b/haproxy/files/haproxy.cfg
@@ -14,6 +14,14 @@
tune.maxrewrite 1024
tune.bufsize 32768
maxconn 16000
+ # SSL options
+ ca-base /etc/haproxy/ssl
+ crt-base /etc/haproxy/ssl
+ tune.ssl.default-dh-param 2048
+ ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+ ssl-default-bind-options no-sslv3 no-tls-tickets
+ ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+ ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
@@ -56,7 +64,7 @@
listen {{ listen_name }}
{%- for bind in listen.binds %}
- bind {{ bind.address }}:{{ bind.port }}
+ bind {{ bind.address }}:{{ bind.port }} {% if bind.get('ssl', {}).enabled|default(False) %}ssl crt {{ bind.ssl.pem_file }}{% endif %}
{%- endfor %}
{%- if listen.get('type', None) == 'http' %}
mode http
diff --git a/haproxy/proxy.sls b/haproxy/proxy.sls
index 2fd6d72..427a266 100644
--- a/haproxy/proxy.sls
+++ b/haproxy/proxy.sls
@@ -18,6 +18,15 @@
- require:
- pkg: haproxy_packages
+haproxy_ssl:
+ file.directory:
+ - name: /etc/haproxy/ssl
+ - user: root
+ - group: haproxy
+ - mode: 750
+ - require:
+ - pkg: haproxy_packages
+
net.ipv4.ip_nonlocal_bind:
sysctl.present:
- value: 1
@@ -30,4 +39,4 @@
- file: /etc/haproxy/haproxy.cfg
- file: /etc/default/haproxy
-{%- endif %}
\ No newline at end of file
+{%- endif %}