From 28ebec92ee54a581dd2e21e94e96f87eb9b8e763 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 4 Aug 2016 21:23:07 +0000 Subject: [PATCH] Proxy IPA through haproxy Signed-off-by: Patrick Uiterwijk --- roles/haproxy/files/ipa.staging.pem | 23 +++++++++++++++++++++++ roles/haproxy/tasks/main.yml | 11 +++++++++++ roles/haproxy/templates/haproxy.cfg | 7 +++++++ 3 files changed, 41 insertions(+) create mode 100644 roles/haproxy/files/ipa.staging.pem diff --git a/roles/haproxy/files/ipa.staging.pem b/roles/haproxy/files/ipa.staging.pem new file mode 100644 index 0000000000..b4f721fcfe --- /dev/null +++ b/roles/haproxy/files/ipa.staging.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDsDCCApigAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMR4wHAYDVQQKDBVTVEcu +RkVET1JBUFJPSkVDVC5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0 +eTAeFw0xNjA4MDQxNzI3NTlaFw0zNjA4MDQxNzI3NTlaMEAxHjAcBgNVBAoMFVNU +Ry5GRURPUkFQUk9KRUNULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9y +aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5HiQvnHPP+3AEJPR +wlizXKhaxPhwVoO68r9VEcEDUOkRo78LQ0ZLEcwaAZBX64uTeStPd5azU6pEN0Gi +124djqJZpBs3v9YNsvt+R4Au7SQhAdBu370VcKEKjj79UYc7e70E04ycv3jJP6hi +7+RD+BeOwPHmMwEUXF2JrKytNOmRCfxoZ7LnQfH80a+YZA1MmpAEGIo8+pRuvGth +cORUTtyEWsaBgpek6wnPjs7lDQG1LJyi0K2L/YQPYAisZCMBoM/ck5SAHSd4F6+P +BcHMhQd2DhsxRhIb5Se4Zi8LUxAvkVdRlCsIk+6bdIM9SpzVd9+RtBnE3LOKu1TH +bxCW2QIDAQABo4G0MIGxMB8GA1UdIwQYMBaAFFfHodJF0pk5OgP9sgMqtPOdOaqC +MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBRXx6HS +RdKZOToD/bIDKrTznTmqgjBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0 +dHA6Ly9pcGEwMS5zdGcucGh4Mi5mZWRvcmFwcm9qZWN0Lm9yZzo4MC9jYS9vY3Nw +MA0GCSqGSIb3DQEBCwUAA4IBAQAnBIll/83TixgIu6JByImWWK7Ew++33heW+rDQ +GQhol1Bp7Gk4wsLpGLATDI+ur25kREnzPfwXLcptO/5GvMEe8rwwvo1b6zkl5VEq +vCA5dQimBTKTlTX2JFZze/KkiKa7WKZAopnSQVkPsSnAZXClTbjALXHwdQ0bDEUU +old29skK0Xvf+WGmE3/SvQmEcueDeDJcV7Jckj45ZuqegklBG6y+fG5ELV0B4u9l +p0ySWPVoaWSRR+izB8Kq9gCP0a5HsO3u5qJ+HRWr+Md7KboMGX29pQehakvtcnta +jr+txnKWhel7c7bEwa6JVRFoOO7jcOHEMohPbKl3Ef/n0uCQ +-----END CERTIFICATE----- + diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index dd4259593b..105d7efd0c 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -27,9 +27,20 @@ with_items: - { file: limits.conf, dest: /etc/security/limits.conf } - { file: 503.http, dest: /etc/haproxy/503.http } + - { file: ipa.{{env}}.pem, dest: /etc/haproxy/ipa.pem } tags: - haproxy +- name: install pem cert + copy: src={{ item.file }} + dest={{ item.dest }} + owner=root group=root mode=0600 + with_items: + - { file: ipa.{{env}}.pem, dest: /etc/haproxy/ipa.pem } + tags: + - haproxy + when: env == "staging" + - name: Install libsemanage-python so we can manage selinux with python... yum: name=libsemanage-python state=installed tags: diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index aa19fbb5bf..a548717437 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -325,6 +325,13 @@ listen fas3 0.0.0.0:10052 option httpchk GET /fas3/ {% endif %} +{% if env == "staging" %} +listen ipa 0.0.0.0:10053 + balance hdr(appserver) + server ipa01 ipa01:443 check inter 10s rise 1 fall 2 ssl verify required crt /etc/haproxy/ipa.pem + option httpchk GET /KdcProxy/ +{% endif %} + # Apache doesn't handle the initial connection here like the other proxy # entries. This proxy also doesn't use the http mode like the others. # stunnel should be sitting on port 9939 (public) and redirecting