On Fri, Jun 13, 2014 at 1:08 AM, kiorky <kio...@cryptelium.net> wrote:
> just forgot to include the version: HA-Proxy version 1.5-dev25-a339395 > 2014/05/10 > > On 13/06/2014 10:04, kiorky wrote: > > Hi we use here a generator for haproxy configs and this one generates > amongst all https frontend using SNI to redirect to endspoints. > Basically, we host lot of VMS and the host is NATing/redirecting every > served domain to the underlying VM and when we use https. > In other words, it terminates SSL on the haproxy front and we are using a > certicate per VM. > Technically, this was as simple as adding a crt <crt> for each vm... > This setup worked fine and without a glitch for a time, but it's falling > on one host as the generated bind line seems to be too long: > > bind *:443 ssl crt /etc/ssl/cloud/certs/ovh-r5-2.this-company.net.crt crt > /etc/ssl/cloud/certs/prod-appapp1.this-company.net.crt crt > /etc/ssl/cloud/certs/appapp1.this-company.net.crt crt > /etc/ssl/cloud/certs/prod-somethelse.this-company.net.crt crt > /etc/ssl/cloud/certs/someth-else.be.crt crt > /etc/ssl/cloud/certs/someth-else.com.crt crt > /etc/ssl/cloud/certs/someth-else.eu.crt crt > /etc/ssl/cloud/certs/someth-else.fr.crt crt > /etc/ssl/cloud/certs/someth-else.mobi.crt crt > /etc/ssl/cloud/certs/someth-else.net.crt crt > /etc/ssl/cloud/certs/someth-else.org.crt crt > /etc/ssl/cloud/certs/somethelse.be.crt crt > /etc/ssl/cloud/certs/somethelse.com.crt crt > /etc/ssl/cloud/certs/somethelse.eu.crt crt > /etc/ssl/cloud/certs/somethelse.fr.crt crt > /etc/ssl/cloud/certs/somethelse.mobi.crt crt > /etc/ssl/cloud/certs/somethelse.net.crt crt > /etc/ssl/cloud/certs/somethelse.org.crt crt > /etc/ssl/cloud/certs/e-cov.somethelse.net.crt crt > /etc/ssl/cloud/certs/appappapp3.somethelse.net.crt crt > /etc/ssl/cloud/certs/www.someth-else.be.crt crt > /etc/ssl/cloud/certs/www.someth-else.com.crt crt > /etc/ssl/cloud/certs/www.someth-else.eu.crt crt > /etc/ssl/cloud/certs/www.someth-else.fr.crt crt > /etc/ssl/cloud/certs/www.someth-else.mobi.crt crt > /etc/ssl/cloud/certs/www.someth-else.org.crt crt > /etc/ssl/cloud/certs/www.somethelse.be.crt crt > /etc/ssl/cloud/certs/www.somethelse.com.crt crt > /etc/ssl/cloud/certs/www.somethelse.eu.crt crt > /etc/ssl/cloud/certs/www.somethelse.fr.crt crt > /etc/ssl/cloud/certs/www.somethelse.mobi.crt crt > /etc/ssl/cloud/certs/www.somethelse.net.crt crt > /etc/ssl/cloud/certs/www.somethelse.org.crt crt > /etc/ssl/cloud/certs/www2.somethelse.com.crt crt > /etc/ssl/cloud/certs/www2.somethelse.eu.crt crt > /etc/ssl/cloud/certs/www2.somethelse.fr.crt crt > /etc/ssl/cloud/certs/www2.somethelse.net.crt crt > /etc/ssl/cloud/certs/www2.somethelse.org.crt crt > /etc/ssl/cloud/certs/prod-appapp4.this-company.net.crt crt > /etc/ssl/cloud/certs/appapp4.this-company.net.crt > > (this line is edited but is as long as the original one) > > This is how haproxy complains at restart: > > [ALERT] 163/095929 (3094) : parsing > [/etc/haproxy/extra/cloudcontroller.cfg:180]: line too long, truncating at > word 65, position 1438: ... > [ALERT] 163/095929 (3094) : parsing > [/etc/haproxy/extra/cloudcontroller.cfg:180] : 'bind *:443' : 'crt' : > missing certificate location > [ALERT] 163/095929 (3094) : Error(s) found in configuration file : > /etc/haproxy/extra/cloudcontroller.cfg > > > As it first truncates the bind content, it then without surprises fails to > load. > > Is this affordable just to increase the bind argument size limit, maybe to > something enoughly large that no one can reach this limit ? > > I think the usual way to handle that is to just specify the directory in "crt" and let haproxy load all the certs from that location. If you want to have a default certificate used when no SNI is provided or when SNI is provided but a cert is not found for it, then name the default cert using "crt" and then load the read with "crt /etc/haproxy/cloud/certs/". The crt-list option might be interesting for you as well. -Bryan