Add 8443 for totp to proxies

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

inventory/group_vars/proxies

@@ -29,6 +29,9 @@ tcp_ports: [
     # the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
     8080,
 
+    # This is for TOTP
+    8443,
+
     # For fedmsg websocket server over stunnel
     9939,
     # For fedmsg raw zeromq socket (outbound)

inventory/group_vars/proxies-stg

@@ -29,6 +29,9 @@ tcp_ports: [
     # the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
     8080,
 
+    # This is for TOTP
+    8443,
+
     # For fedmsg websocket server over stunnel
     9939,
     # For fedmsg raw zeromq socket (outbound)

roles/haproxy/templates/haproxy.cfg

@@ -383,6 +383,28 @@ backend ipa-backend
 {% endif %}
     option  httpchk GET /ipa/ui/
 
+# This is for TOTPCGI (legacy 2fa). It goes to the Openshift routers, which then passthrough TLS to the totpcgi pods
+frontend totp-frontend
+    mode tcp
+    bind 0.0.0.0:8443
+    default_backend totp-backend
+
+backend totp-backend
+    mode tcp
+    option tcplog
+    balance roundrobin
+    maxconn 16384
+    timeout queue 5000
+    timeout server 86400000
+    timeout connect 86400000
+    server  os-node01 os-node01:443 weight 1 maxconn 16384
+    server  os-node02 os-node02:443 weight 1 maxconn 16384
+    server  os-node03 os-node03:443 weight 1 maxconn 16384
+    server  os-node04 os-node04:443 weight 1 maxconn 16384
+{% if env == "production" %}
+    server  os-node05 os-node05:443 weight 1 maxconn 16384
+{% endif %}
+
 frontend krb5-frontend
     mode tcp
     bind 0.0.0.0:1088