Allow proper ssl verification for backends (With a privately managed CA of course)

2025-05-09 02:05:37 +00:00 · 2023-03-18 15:21:21 +11:00
parent 521e4ab335
commit 9478892614
3 changed files with 10 additions and 1 deletions
--- a/INSTALLATION.md
+++ b/INSTALLATION.md
@@ -20,6 +20,7 @@ NOTE: Use either HCAPTCHA_ or RECAPTHCA_, not both.
 - ARGON_KB - argon2 memory usage in KB
 - POW_DIFFICULTY - pow difficulty
 - POW_TYPE - type of ahsh algorithm for pow "argon2" or "sha256"
+- VERIFY_BACKEND_SSL - whether to verify backend ssl, requires you have a private CA on the proxy and using it to sign your backend certs

 #### Run in docker (for testing/development)

--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -115,6 +115,8 @@ cache basic_cache
 	max-age 86400

 backend servers
+	# optional (recommended) ssl, requires CA cert installed on proxy and signeed cert on backends, you can also use "ssl verify none" but ssl can then be trivially mitm'd
+	# default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)
 	# use server based on hostname
 	use-server %[req.hdr(host),lower,map(/etc/haproxy/map/backends.map)] if TRUE

--- a/src/lua/scripts/register-servers.lua
+++ b/src/lua/scripts/register-servers.lua
@@ -14,6 +14,7 @@ function setup_servers()
 	end
 	local handle = io.open("/etc/haproxy/map/hosts.map", "r")
 	local line = handle:read("*line")
+	local verify_backend_ssl = os.getenv("VERIFY_BACKEND_SSL")
 	local counter = 1
 	-- NOTE: using tcp socket to interact with runtime API because lua can't add servers
 	local tcp = core.tcp();
@@ -29,7 +30,12 @@ function setup_servers()
 		-- proxy:set_addr(backend_hostname, backend_port)
 		-- proxy:set_ready()
 		local server_name = "servers/websrv"..counter
-		tcp:send(string.format("add server %s %s check ssl verify none\n", server_name, backend_host))
+		--NOTE: if you have a proper CA setup,
+		if verify_backend_ssl ~= nil then
+			tcp:send(string.format("add server %s %s check ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)\n", server_name, backend_host))
+		else
+			tcp:send(string.format("add server %s %s check ssl verify none\n", server_name, backend_host))
+		end;
 		tcp:send(string.format("enable server %s\n", server_name))
 		line = handle:read("*line")
 		counter = counter + 1