Proxy IPA through haproxy

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2016-08-04 21:23:07 +00:00 · 2016-08-04 21:23:07 +00:00 · 28ebec92ee
commit 28ebec92ee
parent 842abcc25e
3 changed files with 41 additions and 0 deletions
--- a/roles/haproxy/files/ipa.staging.pem
+++ b/roles/haproxy/files/ipa.staging.pem
@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDsDCCApigAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMR4wHAYDVQQKDBVTVEcu
+RkVET1JBUFJPSkVDVC5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0xNjA4MDQxNzI3NTlaFw0zNjA4MDQxNzI3NTlaMEAxHjAcBgNVBAoMFVNU
+Ry5GRURPUkFQUk9KRUNULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9y
+aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5HiQvnHPP+3AEJPR
+wlizXKhaxPhwVoO68r9VEcEDUOkRo78LQ0ZLEcwaAZBX64uTeStPd5azU6pEN0Gi
+124djqJZpBs3v9YNsvt+R4Au7SQhAdBu370VcKEKjj79UYc7e70E04ycv3jJP6hi
+7+RD+BeOwPHmMwEUXF2JrKytNOmRCfxoZ7LnQfH80a+YZA1MmpAEGIo8+pRuvGth
+cORUTtyEWsaBgpek6wnPjs7lDQG1LJyi0K2L/YQPYAisZCMBoM/ck5SAHSd4F6+P
+BcHMhQd2DhsxRhIb5Se4Zi8LUxAvkVdRlCsIk+6bdIM9SpzVd9+RtBnE3LOKu1TH
+bxCW2QIDAQABo4G0MIGxMB8GA1UdIwQYMBaAFFfHodJF0pk5OgP9sgMqtPOdOaqC
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBRXx6HS
+RdKZOToD/bIDKrTznTmqgjBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0
+dHA6Ly9pcGEwMS5zdGcucGh4Mi5mZWRvcmFwcm9qZWN0Lm9yZzo4MC9jYS9vY3Nw
+MA0GCSqGSIb3DQEBCwUAA4IBAQAnBIll/83TixgIu6JByImWWK7Ew++33heW+rDQ
+GQhol1Bp7Gk4wsLpGLATDI+ur25kREnzPfwXLcptO/5GvMEe8rwwvo1b6zkl5VEq
+vCA5dQimBTKTlTX2JFZze/KkiKa7WKZAopnSQVkPsSnAZXClTbjALXHwdQ0bDEUU
+old29skK0Xvf+WGmE3/SvQmEcueDeDJcV7Jckj45ZuqegklBG6y+fG5ELV0B4u9l
+p0ySWPVoaWSRR+izB8Kq9gCP0a5HsO3u5qJ+HRWr+Md7KboMGX29pQehakvtcnta
+jr+txnKWhel7c7bEwa6JVRFoOO7jcOHEMohPbKl3Ef/n0uCQ
+-----END CERTIFICATE-----
+
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@ -27,9 +27,20 @@
  with_items:
  - { file: limits.conf, dest: /etc/security/limits.conf }
  - { file: 503.http, dest: /etc/haproxy/503.http }
+  - { file: ipa.{{env}}.pem, dest: /etc/haproxy/ipa.pem }
  tags:
  - haproxy

+- name: install pem cert
+  copy: src={{ item.file }}
+        dest={{ item.dest }}
+        owner=root group=root mode=0600
+  with_items:
+  - { file: ipa.{{env}}.pem, dest: /etc/haproxy/ipa.pem }
+  tags:
+  - haproxy
+  when: env == "staging"
+
 - name: Install libsemanage-python so we can manage selinux with python...
  yum: name=libsemanage-python state=installed
  tags:
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@ -325,6 +325,13 @@ listen  fas3 0.0.0.0:10052
    option  httpchk GET /fas3/
 {% endif %}

+{% if env == "staging" %}
+listen  ipa 0.0.0.0:10053
+    balance hdr(appserver)
+    server  ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required crt /etc/haproxy/ipa.pem
+    option  httpchk GET /KdcProxy/
+{% endif %}
+
 # Apache doesn't handle the initial connection here like the other proxy
 # entries.  This proxy also doesn't use the http mode like the others.
 # stunnel should be sitting on port 9939 (public) and redirecting