haproxy: preconfigure SSL with defaults
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Jérémy Lecour 2020-06-14 12:36:58 +02:00 committed by Jérémy Lecour
parent 7f54b8ab60
commit f47af9f54f
3 changed files with 62 additions and 25 deletions

View File

@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
* certbot: detect HAProxy cert directory
* haproxy: enable stats frontend with access lists
* haproxy: preconfigure SSL with defaults
* lxc-php: Install php-sqlite by default
* lxc-php: Don't disable putenv() by default in PHP settings
* mysql: activate binary logs by specifying log_bin path

View File

@ -7,30 +7,35 @@
- haproxy
- packages
- include: packages_backports.yml
when: haproxy_backports
- name: Install HAProxy package
apt:
name: haproxy
state: present
- name: HAProxy SSL directory is present
file:
path: /etc/haproxy/ssl
owner: root
group: root
mode: "0700"
state: directory
tags:
- haproxy
- packages
- config
- name: Copy HAProxy configuration
template:
src: "{{ item }}"
dest: /etc/haproxy/haproxy.cfg
force: "{{ haproxy_force_config }}"
validate: "haproxy -c -f %s"
with_first_found:
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
- "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
- "templates/haproxy/haproxy.default.cfg.j2"
- "haproxy.default.cfg.j2"
- name: Self-signed certificate is present in HAProxy ssl directory
shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
args:
creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
notify: reload haproxy
tags:
- haproxy
- config
- name: 2048 bits DHparam file is present
get_url:
url: https://ssl-config.mozilla.org/ffdhe2048.txt
dest: /etc/haproxy/dhparam2048.txt
mode: '0600'
owner: root
group: root
force: no
notify: reload haproxy
when: haproxy_update_config
tags:
- haproxy
- config
@ -71,4 +76,32 @@
{% endfor %}
notify: reload haproxy
- include: packages_backports.yml
when: haproxy_backports
- name: Install HAProxy package
apt:
name: haproxy
state: present
tags:
- haproxy
- packages
- name: Copy HAProxy configuration
template:
src: "{{ item }}"
dest: /etc/haproxy/haproxy.cfg
force: "{{ haproxy_force_config }}"
validate: "haproxy -c -f %s"
with_first_found:
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
- "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
- "templates/haproxy/haproxy.default.cfg.j2"
- "haproxy.default.cfg.j2"
notify: reload haproxy
when: haproxy_update_config
tags:
- haproxy
- config
- include: munin.yml

View File

@ -14,11 +14,14 @@ global
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
# intermediate configuration https://ssl-config.mozilla.org/
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-dh-param-file /etc/haproxy/dhparam2048.txt
defaults
log global