adds ssl-default-bind options to template

2015-07-29 12:16:37 +02:00 · 2015-07-29 12:16:37 +02:00 · 62981b47ad
parent b83deb4f28
commit 62981b47ad
2 changed files with 8 additions and 1 deletions
--- a/haproxy/templates/haproxy.jinja
+++ b/haproxy/templates/haproxy.jinja
@ -24,7 +24,12 @@ global
    # Stats support is currently limited to socket mode
    stats socket {{ salt['pillar.get']('haproxy:global:stats:socketpath', '/tmp/ha_stats.sock') }}
 {%- endif %}
-
+{%- if salt['pillar.get']('haproxy:global:ssl-default-bind-ciphers', False) %}
+    ssl-default-bind-ciphers {{ salt['pillar.get']('haproxy:global:ssl-default-bind-ciphers') }}
+{%- endif %}
+{%- if salt['pillar.get']('haproxy:global:ssl-default-bind-options', False) %}
+    ssl-default-bind-options {{ salt['pillar.get']('haproxy:global:ssl-default-bind-options') }}
+{%- endif %}

 #------------------
 # common defaults that all the 'listen' and 'backend' sections will
--- a/pillar.example
+++ b/pillar.example
@ -9,6 +9,8 @@ haproxy:
    stats:
      enable: True
      socketpath: /var/lib/haproxy/stats
+    ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
+    ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"

    user: haproxy
    group: haproxy