Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow proper ssl verification for backends (With a privately managed CA of course)

Browse Source
This commit is contained in:
Thomas Lynch
2023-03-18 15:21:21 +11:00
parent 521e4ab335
commit 9478892614
3 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/lua/scripts/register-servers.lua
View File

@@ -14,6 +14,7 @@ function setup_servers()
end
local handle = io.open("/etc/haproxy/map/hosts.map", "r")
local line = handle:read("*line")
local verify_backend_ssl = os.getenv("VERIFY_BACKEND_SSL")
local counter = 1
-- NOTE: using tcp socket to interact with runtime API because lua can't add servers
local tcp = core.tcp();
@@ -29,7 +30,12 @@ function setup_servers()
-- proxy:set_addr(backend_hostname, backend_port)
-- proxy:set_ready()
local server_name = "servers/websrv"..counter
tcp:send(string.format("add server %s %s check ssl verify none\n", server_name, backend_host))
--NOTE: if you have a proper CA setup,
if verify_backend_ssl ~= nil then
tcp:send(string.format("add server %s %s check ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)\n", server_name, backend_host))
else
tcp:send(string.format("add server %s %s check ssl verify none\n", server_name, backend_host))
end;
tcp:send(string.format("enable server %s\n", server_name))
line = handle:read("*line")
counter = counter + 1