Defined Type: haproxy::tls_terminator

Defined in:
modules/haproxy/manifests/tls_terminator.pp

Summary

Configure HAProxy to be a TLS proxy to local services listening on UNIX sockets

Overview

Parameters:

  • port (Stdlib::Port)

    TCP port to listen on with HTTPS support

  • backend_socket

    Absolute path to the UNIX socket acting as backend service

  • certificates (Array[Haproxy::Tlscertificate])

    List of TLS certificates used to listen on $port

  • crt_list_path (Stdlib::Unixpath) (defaults to: '/etc/haproxy/crt-list.cfg')

    Path used for the crt-list file. Defaults to /etc/haproxy/crt-list.cfg

  • tls_dh_param_path (Stdlib::Unixpath) (defaults to: '/etc/ssl/dhparam.pem')

    Path used for the DH param file. Defaults to /etc/ssl/dhparam.pem

  • tls_cachesize (Integer[0]) (defaults to: 20000)

    Sets the size of the global SSL session cache, in a number of blocks. A block is large enough to contain an encoded session without peer certificate. Defaults to 20000

  • tls_session_lifetime (Integer[0]) (defaults to: 300)

    Sets how long a cached SSL session may remain valid. Defaults to 300 seconds

  • http_reuse (Haproxy::Httpreuse) (defaults to: 'safe')

    HTTP connection reuse policy. Defaults to safe

  • numa_iface (String) (defaults to: 'lo')

    Network interface used to bound HAProxy to a NUMA node. Defaults to lo

  • haproxy_version (Haproxy::Version) (defaults to: 'haproxy24')

    HAProxy version being used. Defaults to haproxy24

  • tls_ciphers (String)

    Allowed ciphersuites for <= TLSv1.2

  • tls13_ciphers (String)

    Allowed ciphersuites for TLSv1.3

  • timeout (Haproxy::Timeout)

    timeout configuration. See Haproxy::Timeout for more details

  • h2settings (Haproxy::H2settings)

    H2 performance tuning settings. See Haproxy::H2settings for more details

  • min_tls_version (Haproxy::Tlsversion) (defaults to: 'TLSv1.2')

    minimum supported TLS version. Defaults to TLSv1.2

  • max_tls_version (Haproxy::Tlsversion) (defaults to: 'TLSv1.3')

    minimum supported TLS version. Defaults to TLSv1.3

  • ecdhe_curves (Haproxy::Ecdhecurves) (defaults to: ['X25519', 'P-256'])

    List of supported ECHDE curves. Defaults to X25519, P-256

  • alpn (Haproxy::Alpn) (defaults to: ['h2', 'http/1.1'])

    List of Application layer protocols (ALPN) supported. Defaults to h2, http/1.1

  • lua_scripts (Optional[Array[Stdlib::Unixpath]]) (defaults to: undef)

    List of lua scripts to be loaded

  • vars (Optional[Hash[String ,Array[Haproxy::Var]]]) (defaults to: undef)

    Hash of list of variables to set based on HTTP request|response data, keyed by frontend

  • acls (Optional[Hash[String, Array[Haproxy::Acl]]]) (defaults to: undef)

    Hash of list of ACLs. They can be used to conditionally remove HTTP headers, keyed by frontend

  • add_headers (Optional[Hash[String, Array[Haproxy::Header]]]) (defaults to: undef)

    Hash of list of headers to add on HTTP requests or responses, keyed by frontend

  • del_headers (Optional[Hash[String, Array[Haproxy::Header]]]) (defaults to: undef)

    Hash of list of headers to remove on HTTP requests or respones, keyed by frontend

  • pre_acl_actions (Optional[Hash[String, Array[Haproxy::Action]]]) (defaults to: undef)

    Hash of list of actions to take before ACLs are defined, keyed by frontend

  • post_acl_actions (Optional[Hash[String, Array[Haproxy::Action]]]) (defaults to: undef)

    Hash of list of actions to take after ACLs are defined, keyed by frontend

  • prometheus_port (Optional[Stdlib::Port]) (defaults to: undef)

    Port to expose stats and prometheus metrics. Requires HAProxy >= 2.0

  • sticktables (Optional[Array[Haproxy::Sticktable]]) (defaults to: undef)

    List of pseudo-backends to create for tracking stats with stick-tables.

  • http_redirection_port (Optional[Stdlib::Port]) (defaults to: undef)

    Port used to perform http->https redirection for GET/HEAD requests

  • http_disable_keepalive (Boolean) (defaults to: false)

    Bool to add Connection: Close response header on port 80 frontend

  • filters (Optional[Array[Haproxy::Filter]]) (defaults to: undef)

    List of filters to be defined before actions

  • dedicated_hc_backend (Boolean) (defaults to: false)

    Use a dedicate backend for LVS healthchecks

  • hc_sources (Optional[Array[Stdlib::IP::Address]]) (defaults to: undef)

    List of IP addresses allowed to send healthcheck requests

  • extended_logging (Boolean) (defaults to: false)

    Bool to enable configuration to allow richer logging Default: false

  • backend (Haproxy::Backend)
  • tls_ticket_keys_path (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • proxy_protocol (Optional[Haproxy::Proxyprotocol]) (defaults to: undef)
  • redirection_timeout (Optional[Haproxy::Timeout]) (defaults to: $undef)


77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# File 'modules/haproxy/manifests/tls_terminator.pp', line 77

define haproxy::tls_terminator(
    Stdlib::Port $port,
    Haproxy::Backend $backend,
    Array[Haproxy::Tlscertificate] $certificates,
    String $tls_ciphers,
    String $tls13_ciphers,
    Haproxy::Timeout $timeout,
    Haproxy::H2settings $h2settings,
    Haproxy::Tlsversion $min_tls_version = 'TLSv1.2',
    Haproxy::Tlsversion $max_tls_version = 'TLSv1.3',
    Haproxy::Ecdhecurves $ecdhe_curves = ['X25519', 'P-256'],
    Haproxy::Alpn $alpn = ['h2', 'http/1.1'],
    Stdlib::Unixpath $crt_list_path = '/etc/haproxy/crt-list.cfg',
    Stdlib::Unixpath $tls_dh_param_path = '/etc/ssl/dhparam.pem',
    Integer[0] $tls_cachesize = 20000,
    Integer[0] $tls_session_lifetime = 300,
    Haproxy::Httpreuse $http_reuse = 'safe',
    String $numa_iface = 'lo',
    Haproxy::Version $haproxy_version = 'haproxy24',
    Boolean $http_disable_keepalive = false,
    Optional[Stdlib::Unixpath] $tls_ticket_keys_path = undef,
    Optional[Haproxy::Proxyprotocol] $proxy_protocol = undef,
    Optional[Array[Stdlib::Unixpath]] $lua_scripts = undef,
    Optional[Hash[String ,Array[Haproxy::Var]]] $vars = undef,
    Optional[Hash[String, Array[Haproxy::Acl]]] $acls = undef,
    Optional[Hash[String, Array[Haproxy::Header]]] $add_headers = undef,
    Optional[Hash[String, Array[Haproxy::Header]]] $del_headers = undef,
    Optional[Hash[String, Array[Haproxy::Action]]] $pre_acl_actions = undef,
    Optional[Hash[String, Array[Haproxy::Action]]] $post_acl_actions = undef,
    Optional[Stdlib::Port] $prometheus_port = undef,
    Optional[Array[Haproxy::Sticktable]] $sticktables = undef,
    Optional[Stdlib::Port] $http_redirection_port = undef,
    Optional[Haproxy::Timeout] $redirection_timeout = $undef,
    Optional[Array[Haproxy::Filter]] $filters = undef,
    Boolean $dedicated_hc_backend = false,
    Optional[Array[Stdlib::IP::Address]] $hc_sources = undef,
    Boolean $extended_logging = false,
) {
    # First of all, we can't configure a tls terminator if haproxy is not installed.
    if !defined(Class['haproxy']) {
        fail('haproxy::tls_terminator should only be used once the haproxy class is declared.')
    }

    file { $crt_list_path:
        mode    => '0444',
        content =>  template('haproxy/crt-list.cfg.erb'),
        notify  =>  Service['haproxy'],
    }

    mediawiki::errorpage { "/etc/haproxy/tls-terminator-${title}-plaintext-error.html":
        ensure  => ($http_redirection_port != undef).bool2str('present', 'absent'),
        content => '<p>Insecure request forbidden, use HTTPS instead. For details see <a href="https://lists.wikimedia.org/hyperkitty/list/mediawiki-api-announce@lists.wikimedia.org/message/VKQJRS36NXLIMHOWBOXJPUH35KETQCG5/">https://lists.wikimedia.org/hyperkitty/list/mediawiki-api-announce@lists.wikimedia.org/message/VKQJRS36NXLIMHOWBOXJPUH35KETQCG5/</a>.</p>',
        before  => HAProxy::Site[$title],
    }

    # This contains the PyBal IPs allowed to perform healthchecks
    $hc_sources_file_path = '/etc/haproxy/allowed-hc-sources.lst'

    file { $hc_sources_file_path:
      ensure  => bool2str($dedicated_hc_backend, 'present','absent'),
      mode    => '0444',
      owner   => 'root',
      group   => 'root',
      content => template('haproxy/allowed-hc-sources.lst.erb'),
      notify  => Service['haproxy'],
    }

    haproxy::site { $title:
        content => template('haproxy/tls_terminator.cfg.erb'),
    }
}