diff --git a/defaults/main.yml b/defaults/main.yml index 78eea78..9ddfcd8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -88,8 +88,12 @@ haproxy_ssl: true haproxy_ssl_all_vips: false haproxy_ssl_dh_param: 2048 haproxy_ssl_cert_path: /etc/haproxy/ssl -haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" -haproxy_ssl_bind_options: "force-tlsv12" +haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers" +haproxy_ssl_server_options: "ssl-min-ver TLSv1.2" +# TLS v1.2 and below +haproxy_ssl_cipher_suite_tls12: "{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS')) }}" +# TLS v1.3 +haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}" # haproxy self signed certificate diff --git a/releasenotes/notes/tls_variables-91160d4e38085de4.yaml b/releasenotes/notes/tls_variables-91160d4e38085de4.yaml new file mode 100644 index 0000000..7894a95 --- /dev/null +++ b/releasenotes/notes/tls_variables-91160d4e38085de4.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The HAProxy role now supports TLS v1.3 by default, alongside TLS v1.2. +deprecations: + - | + The variable 'haproxy_ssl_cipher_suite' is deprecated in favour of + 'haproxy_ssl_cipher_suite_tls12' which will continue to manage + configuration of ciphers for TLS v1.2 and earlier. diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 index b57619e..ece82ea 100644 --- a/templates/haproxy.cfg.j2 +++ b/templates/haproxy.cfg.j2 @@ -23,7 +23,16 @@ global {% endif %} {% if haproxy_ssl | bool %} ssl-default-bind-options {{ haproxy_ssl_bind_options }} - tune.ssl.default-dh-param {{haproxy_ssl_dh_param}} + ssl-default-server-options {{ haproxy_ssl_server_options }} + {% if haproxy_ssl_cipher_suite_tls13 != "" -%} + ssl-default-bind-ciphersuites {{ haproxy_ssl_cipher_suite_tls13 }} + ssl-default-server-ciphersuites {{ haproxy_ssl_cipher_suite_tls13 }} + {% endif -%} + {% if haproxy_ssl_cipher_suite_tls12 != "" -%} + ssl-default-bind-ciphers {{ haproxy_ssl_cipher_suite_tls12 }} + ssl-default-server-ciphers {{ haproxy_ssl_cipher_suite_tls12 }} + {% endif -%} + tune.ssl.default-dh-param {{ haproxy_ssl_dh_param }} {% endif %} defaults @@ -40,7 +49,7 @@ defaults {% if haproxy_stats_enabled | bool %} listen stats - bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem ciphers {{ haproxy_ssl_cipher_suite }}{% endif %} + bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem{% endif %} {% if haproxy_stats_process is defined %} bind-process {{ haproxy_stats_process }} diff --git a/templates/service.j2 b/templates/service.j2 index b1c3cd5..dabbd74 100644 --- a/templates/service.j2 +++ b/templates/service.j2 @@ -37,7 +37,7 @@ bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }} {% endif %} frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }} - bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem ciphers {{ haproxy_ssl_cipher_suite }}{% endif %} + bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem {% endif %} {% if request_option == "http" %} option httplog