Haproxy: When using TLS everywhere, use verifyhost for the balancermembers

This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.

Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a6bd1eb..d497056 100644 (file)
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -718,6 +718,9 @@ class tripleo::haproxy (
 
   if $enable_internal_tls {
     $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    Haproxy::Balancermember {
+      verifyhost => true
+    }
   } else {
     $internal_tls_member_options = []
   }