From ad7a5dad3f0b3f731107d3f7f1011dc129135e9a Mon Sep 17 00:00:00 2001
From: Stanley Lam <stanleylam_604@hotmail.com>
Date: Thu, 21 Nov 2019 14:40:51 -0800
Subject: [PATCH] Add option for HAproxy to act a SSL frontend termination
 point for loadbalanced RGW instances.

Signed-off-by: Stanley Lam <stanleylam_604@hotmail.com>
---
 group_vars/rgwloadbalancers.yml.sample               | 11 +++++++++++
 roles/ceph-rgw-loadbalancer/defaults/main.yml        | 11 +++++++++++
 roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2 | 10 +++++++++-
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/group_vars/rgwloadbalancers.yml.sample b/group_vars/rgwloadbalancers.yml.sample
index 05e9e573b..a026c939d 100644
--- a/group_vars/rgwloadbalancers.yml.sample
+++ b/group_vars/rgwloadbalancers.yml.sample
@@ -14,6 +14,17 @@ dummy:
 ###########
 
 #haproxy_frontend_port: 80
+#haproxy_frontend_ssl_port: 443
+#haproxy_frontend_ssl_certificate:
+#haproxy_ssl_dh_param: 4096
+#haproxy_ssl_ciphers:
+#  - EECDH+AESGCM
+#  - EDH+AESGCM
+#haproxy_ssl_options:
+#  - no-sslv3
+#  - no-tlsv10
+#  - no-tlsv11
+#  - no-tls-tickets
 #
 #virtual_ips:
 #   - 192.168.238.250
diff --git a/roles/ceph-rgw-loadbalancer/defaults/main.yml b/roles/ceph-rgw-loadbalancer/defaults/main.yml
index 69370c2bc..3db54395c 100644
--- a/roles/ceph-rgw-loadbalancer/defaults/main.yml
+++ b/roles/ceph-rgw-loadbalancer/defaults/main.yml
@@ -6,6 +6,17 @@
 ###########
 
 haproxy_frontend_port: 80
+haproxy_frontend_ssl_port: 443
+haproxy_frontend_ssl_certificate:
+haproxy_ssl_dh_param: 4096
+haproxy_ssl_ciphers:
+  - EECDH+AESGCM
+  - EDH+AESGCM
+haproxy_ssl_options:
+  - no-sslv3
+  - no-tlsv10
+  - no-tlsv11
+  - no-tls-tickets
 #
 #virtual_ips:
 #   - 192.168.238.250
diff --git a/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2 b/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2
index 31fc3dd30..c7c08b726 100644
--- a/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2
+++ b/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2
@@ -9,7 +9,11 @@ global
     group       haproxy
     daemon
     stats socket /var/lib/haproxy/stats
-
+{%- if haproxy_frontend_ssl_certificate %}
+    tune.ssl.default-dh-param {{ haproxy_ssl_dh_param }}
+    ssl-default-bind-ciphers {{ haproxy_ssl_ciphers | join(':') }}
+    ssl-default-bind-options {{ haproxy_ssl_options | join(' ') }}
+{% endif %}
 defaults
     mode                    http
     log                     global
@@ -29,7 +33,11 @@ defaults
     maxconn                 8000
 
 frontend rgw-frontend
+{% if haproxy_frontend_ssl_certificate %}
+    bind *:{{ haproxy_frontend_ssl_port }} ssl crt {{ haproxy_frontend_ssl_certificate }}
+{% else %}
     bind *:{{ haproxy_frontend_port }}
+{% endif %}
     default_backend rgw-backend
 
 backend rgw-backend