Skip to content

Commit

Permalink
Add verifyhost parameter to balancermember resource
Browse files Browse the repository at this point in the history
The verifyhost parameter from haproxy [1] will attempt to match
the server's certificate CN or SubjectAltName, and will fail if
there is no match.

In the balancermember resource, it was added as a boolean, since it's
somewhat difficult to add the parameter to the options list, since
each hostname in the verifyhost will be different for each of the
servers in the server_names list. So, to address this, we now can
specify a boolean, and if it's set to true, it will use the host of
the specific server line and use it for the verifyhost option.

Note that this configuration only works if we are using HAProxy with
OpenSSL, and if we set up the 'ssl' and 'verify required' options in
the options of the servers.

[1] https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-verifyhost
  • Loading branch information
JAORMX committed Nov 22, 2016
1 parent d900464 commit 27099de
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 2 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -598,6 +598,8 @@ Configures a service inside a listening or backend service configuration block i

* `config_file`: *Optional.* Path of the config file where this entry will be added. Assumes that the parent directory exists. Defaults to `haproxy::params::config_file`.

* `verifyhost`: *Optional.* Will add the verifyhost option to the server line, using the specific host from server_names as an argument. Defaults to false

#### Define: `haproxy::backend`

Sets up a backend service configuration block inside haproxy.cfg. Each backend service needs one or more balancermember services (declared with the [`haproxy::balancermember` define](#define-haproxybalancermember)).
Expand Down
6 changes: 6 additions & 0 deletions manifests/balancermember.pp
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@
# Assumes that the parent directory exists.
# Default: $haproxy::params::config_file
#
# [*verifyhost*]
# Optional. Will add the verifyhost option to the server line, using the
# specific host from server_names as an argument.
# Default: false
#
# === Examples
#
# Exporting the resource for a balancer member:
Expand Down Expand Up @@ -97,6 +102,7 @@
$instance = 'haproxy',
$defaults = undef,
$config_file = undef,
$verifyhost = false,
) {

include haproxy::params
Expand Down
18 changes: 18 additions & 0 deletions spec/defines/balancermember_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,24 @@
'content' => " server dero 1.1.1.1:18140 cookie dero check close\n"
) }
end

context 'with verifyhost' do
let(:params) do
{
:name => 'tyler',
:listening_service => 'croy',
:ports => '18140',
:options => ['check', 'close'],
:verifyhost => true
}
end

it { should contain_concat__fragment('haproxy-croy_balancermember_tyler').with(
'order' => '20-croy-01-tyler',
'target' => '/etc/haproxy/haproxy.cfg',
'content' => " server dero 1.1.1.1:18140 dero check close verifyhost dero\n"
) }
end
context 'with multiple servers' do
let(:params) do
{
Expand Down
4 changes: 2 additions & 2 deletions templates/haproxy_balancermember.erb
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
<% Array(@ipaddresses).zip(Array(@server_names)).each do |ipaddress,host| -%>
<% if @ports -%>
<%- Array(@ports).each do |port| -%>
server <%= host %> <%= ipaddress %>:<%= port %><%= if @define_cookies then " cookie " + host end %> <%= Array(@options).sort.join(" ") %>
server <%= host %> <%= ipaddress %>:<%= port %><%= if @define_cookies then " cookie " + host end %> <%= Array(@options).sort.join(" ") %><% if @verifyhost == true %> verifyhost <%= host %><% end %>
<%- end -%>
<% else -%>
server <%= host %> <%= ipaddress %><%= if @define_cookies then " cookie " + host end %> <%= Array(@options).sort.join(" ") %>
server <%= host %> <%= ipaddress %><%= if @define_cookies then " cookie " + host end %> <%= Array(@options).sort.join(" ") %><% if @verifyhost == true %> verifyhost <%= host %><% end %>
<%- end -%>
<% end -%>

0 comments on commit 27099de

Please sign in to comment.