HAPROXY: OCSP management is now conditional.
This commit is contained in:
parent
ee6087de29
commit
500f83aab8
|
@ -43,8 +43,9 @@ haproxy_admin_socket_dir: /run/haproxy
|
||||||
haproxy_admin_socket_file: admin.sock
|
haproxy_admin_socket_file: admin.sock
|
||||||
haproxy_admin_socket: '{{ haproxy_admin_socket_dir }}/{{ haproxy_admin_socket_file }}'
|
haproxy_admin_socket: '{{ haproxy_admin_socket_dir }}/{{ haproxy_admin_socket_file }}'
|
||||||
|
|
||||||
haproxy_letsencrypt_managed: True
|
haproxy_letsencrypt_managed: true
|
||||||
haproxy_cert_dir: '{{ pki_dir }}/haproxy'
|
haproxy_cert_dir: '{{ pki_dir }}/haproxy'
|
||||||
|
haproxy_ssl_ocsp_enabled: false
|
||||||
|
|
||||||
haproxy_install_additional_pkgs: False
|
haproxy_install_additional_pkgs: False
|
||||||
haproxy_additional_pkgs:
|
haproxy_additional_pkgs:
|
||||||
|
|
|
@ -1,17 +1,39 @@
|
||||||
---
|
---
|
||||||
- block:
|
- name: haproxy-ssl | Manage OCSP
|
||||||
- name: Install the socat binary needed to talk to the haproxy socket
|
tags: ['haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp']
|
||||||
apt: name=socat state=latest update_cache=yes cache_valid_time=3600
|
when: haproxy_ssl_ocsp_enabled
|
||||||
|
block:
|
||||||
|
- name: haproxy-ssl | Install the socat binary needed to talk to the haproxy socket
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: socat
|
||||||
|
state: present
|
||||||
|
cache_valid_time: 3600
|
||||||
|
|
||||||
- name: Install a script that refreshes the OCSP configuration and reloads haproxy if needed
|
- name: haproxy-ssl | Install a script that refreshes the OCSP configuration and reloads haproxy if needed
|
||||||
get_url: url='https://raw.githubusercontent.com/pierky/haproxy-ocsp-stapling-updater/master/hapos-upd' dest=/usr/local/bin/hapos-upd owner=root group=root mode=0755
|
ansible.builtin.get_url:
|
||||||
|
url: 'https://raw.githubusercontent.com/pierky/haproxy-ocsp-stapling-updater/master/hapos-upd'
|
||||||
|
dest: /usr/local/bin/hapos-upd
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
- name: Install a cron job that refreshes the OCSP configuration
|
- name: haproxy-ssl | Install a cron job that refreshes the OCSP configuration
|
||||||
cron:
|
ansible.builtin.cron:
|
||||||
name: "Refresh the haproxy OCSP information"
|
name: "Refresh the haproxy OCSP information"
|
||||||
user: root
|
user: root
|
||||||
|
cron_file: haproxy_ocsp
|
||||||
special_time: daily
|
special_time: daily
|
||||||
|
state: present
|
||||||
job: "/usr/local/bin/hapos-upd {% if haproxy_docker_container %}-S{% endif %} --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %} -v - >/var/log/hapos-upd.log 2>&1{% if haproxy_docker_container %} ; docker kill --signal USR2 $(docker container ls --filter name=haproxy_haproxy --quiet){% endif %}"
|
job: "/usr/local/bin/hapos-upd {% if haproxy_docker_container %}-S{% endif %} --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %} -v - >/var/log/hapos-upd.log 2>&1{% if haproxy_docker_container %} ; docker kill --signal USR2 $(docker container ls --filter name=haproxy_haproxy --quiet){% endif %}"
|
||||||
|
|
||||||
tags: [ 'haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp' ]
|
- name: haproxy-ssl | Disable the OCSP handling
|
||||||
|
tags: ['haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp']
|
||||||
|
when: not haproxy_ssl_ocsp_enabled
|
||||||
|
block:
|
||||||
|
- name: haproxy-ssl | Remove the cron job that refreshes the OCSP configuration
|
||||||
|
ansible.builtin.cron:
|
||||||
|
name: "Refresh the haproxy OCSP information"
|
||||||
|
user: root
|
||||||
|
cron_file: haproxy_ocsp
|
||||||
|
special_time: daily
|
||||||
|
state: absent
|
||||||
|
|
|
@ -23,8 +23,17 @@ fi
|
||||||
|
|
||||||
haproxy_socket={% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %}
|
haproxy_socket={% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %}
|
||||||
|
|
||||||
|
echo "Check if the certificate must be replaced" >> $LE_LOG_DIR/haproxy.log
|
||||||
|
cat ${LE_CERTS_DIR}/{fullchain,privkey} > ${HAPROXY_CERTFILE}.new
|
||||||
|
cmp ${HAPROXY_CERTFILE}.new ${HAPROXY_CERTFILE} 2>/dev/null
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
echo "The certificate is up to date" >> $LE_LOG_DIR/haproxy.log
|
||||||
|
rm -f ${HAPROXY_CERTFILE}.new
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
|
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
|
||||||
cat ${LE_CERTS_DIR}/{fullchain,privkey} > ${HAPROXY_CERTFILE}
|
/bin/mv -f ${HAPROXY_CERTFILE}.new ${HAPROXY_CERTFILE}
|
||||||
chmod 440 ${HAPROXY_CERTFILE}
|
chmod 440 ${HAPROXY_CERTFILE}
|
||||||
chgrp haproxy ${HAPROXY_CERTFILE}
|
chgrp haproxy ${HAPROXY_CERTFILE}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue