harden haproxy TLS configuration
harden the TLS default config according to the mozilla "modern" recommendation: https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7 if you want to revert to the old settings, set: kolla_haproxy_ssl_settings: "legacy" in globals.yaml alternatively you can also set it to "intermediate" for a middle ground between security and accessibility. this also adjusts the glance and neutron tls proxy ssl settings in their dedicated haproxy config templates to use the same mechanism. also add some haproxy related docs to the TLS guide and cross reference it from the haproxy-guide. Closes-Bug: #2060787 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6
This commit is contained in:
		| @@ -402,6 +402,28 @@ grafana_server_listen_port: "{{ grafana_server_port }}" | ||||
| haproxy_stats_port: "1984" | ||||
| haproxy_monitor_port: "61313" | ||||
| haproxy_ssh_port: "2985" | ||||
| # configure SSL/TLS settings for haproxy config, one of [modern, intermediate, legacy]: | ||||
| kolla_haproxy_ssl_settings: "modern" | ||||
|  | ||||
| haproxy_ssl_settings: "{{ ssl_legacy_settings if kolla_haproxy_ssl_settings == 'legacy' else ssl_intermediate_settings if kolla_haproxy_ssl_settings == 'intermediate' else ssl_modern_settings | default(ssl_modern_settings) }}" | ||||
|  | ||||
| ssl_legacy_settings: | | ||||
|     ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES | ||||
|     ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | ||||
|  | ||||
| ssl_intermediate_settings: | | ||||
|     ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 | ||||
|     ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | ||||
|     ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets | ||||
|     ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 | ||||
|     ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | ||||
|     ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets | ||||
|  | ||||
| ssl_modern_settings: | | ||||
|     ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | ||||
|     ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets | ||||
|     ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | ||||
|     ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets | ||||
|  | ||||
| heat_internal_fqdn: "{{ kolla_internal_fqdn }}" | ||||
| heat_external_fqdn: "{{ kolla_external_fqdn }}" | ||||
|   | ||||
| @@ -10,9 +10,11 @@ global | ||||
|     {% if (glance_tls_proxy_threads | int > 1) and (glance_tls_proxy_thread_cpu_map | bool) %} | ||||
|     cpu-map auto:1/all 0-63 | ||||
|     {% endif %} | ||||
|     ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES | ||||
|     ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | ||||
|     {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %} | ||||
|     {{ haproxy_ssl_settings }} | ||||
|     tune.ssl.default-dh-param 4096 | ||||
|     ca-base {{ haproxy_backend_cacert_dir }} | ||||
|     {% endif %} | ||||
|  | ||||
| defaults | ||||
|     log global | ||||
|   | ||||
| @@ -13,8 +13,7 @@ global | ||||
|     stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660{% if haproxy_socket_level_admin | bool %} level admin{% endif %} | ||||
|  | ||||
|     {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %} | ||||
|     ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES | ||||
|     ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | ||||
|     {{ haproxy_ssl_settings }} | ||||
|     tune.ssl.default-dh-param 4096 | ||||
|     ca-base {{ haproxy_backend_cacert_dir }} | ||||
|     {% endif %} | ||||
|   | ||||
| @@ -10,9 +10,11 @@ global | ||||
|     {% if (neutron_tls_proxy_threads | int > 1) and (neutron_tls_proxy_thread_cpu_map | bool) %} | ||||
|     cpu-map auto:1/all 0-63 | ||||
|     {% endif %} | ||||
|     ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES | ||||
|     ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 | ||||
|     {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %} | ||||
|     {{ haproxy_ssl_settings }} | ||||
|     tune.ssl.default-dh-param 4096 | ||||
|     ca-base {{ haproxy_backend_cacert_dir }} | ||||
|     {% endif %} | ||||
|  | ||||
| defaults | ||||
|     log global | ||||
|   | ||||
| @@ -363,3 +363,29 @@ options for TLS as is. | ||||
|  | ||||
| If using this option, make sure that all certificates are present on the | ||||
| appropriate hosts in the appropriate location. | ||||
|  | ||||
| .. _haproxy-tls-settings: | ||||
|  | ||||
| HAProxy TLS related settings | ||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||
|  | ||||
| You can select between different SSL/TLS ciphers by setting the following | ||||
| in ``/etc/kolla/globals.yml``: | ||||
|  | ||||
| .. code-block:: yaml | ||||
|  | ||||
|    kolla_haproxy_ssl_settings: "modern" # or "intermediate" or "legacy" | ||||
|  | ||||
| The default value is "modern". These settings are adapted from the | ||||
| `Mozilla SSL Configuration Generator <https://ssl-config.mozilla.org/>`__. | ||||
|  | ||||
| The setting "modern" is recommended for most deployments. The setting | ||||
| "intermediate" is recommended for deployments that need to support older | ||||
| clients. The setting "legacy" is not recommended, but is left as a | ||||
| compatibility option for older deployments. | ||||
|  | ||||
| See the `Mozilla SSL Configuration Generator <https://ssl-config.mozilla.org/>`__ | ||||
| for more information on exact supported client versions. | ||||
|  | ||||
| The ``kolla_haproxy_ssl_settings`` setting also affects the glance and | ||||
| neutron haproxy TLS settings, if these proxy services are enabled. | ||||
|   | ||||
| @@ -92,3 +92,8 @@ disabled by setting the following in ``/etc/kolla/globals.yml``: | ||||
| .. code-block:: yaml | ||||
|  | ||||
|    haproxy_enable_http2: "no" | ||||
|  | ||||
| SSL/TLS Settings | ||||
| ---------------- | ||||
|  | ||||
| For SSL/TLS related settings refer to the :ref:`haproxy-tls-settings` section. | ||||
|   | ||||
| @@ -0,0 +1,28 @@ | ||||
| --- | ||||
| features: | ||||
|   - | | ||||
|     Harden the HAProxy TLS default configuration according to the mozilla | ||||
|     ``modern`` recommendation: | ||||
|  | ||||
|     `<https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7>`__ | ||||
|  | ||||
|     If you want to revert back to the old behaviour, e.g. because | ||||
|     you have old clients, you can do so by setting the following | ||||
|     variable in your globals.yml: | ||||
|  | ||||
|     ``kolla_haproxy_ssl_settings: legacy`` or if you want to have | ||||
|     at least some improved security settings: | ||||
|     ``kolla_haproxy_ssl_settings: intermediate`` | ||||
|  | ||||
|     See `LP#2060787 <https://bugs.launchpad.net/kolla-ansible/+bug/2060787>`__ | ||||
| upgrade: | ||||
|   - | | ||||
|     If you have old clients that do not support the new TLS settings, | ||||
|     you can revert back to the old behaviour by setting the following | ||||
|     variable in your globals.yml: | ||||
|  | ||||
|     ``kolla_haproxy_ssl_settings: legacy`` or if you want to have | ||||
|     at least some improved security settings: | ||||
|     ``kolla_haproxy_ssl_settings: intermediate`` | ||||
|  | ||||
|     See `LP#2060787 <https://bugs.launchpad.net/kolla-ansible/+bug/2060787>`__ | ||||
		Reference in New Issue
	
	Block a user
	 Sven Kieske
					Sven Kieske