Hi there, I'm seeing some odd behavior with HAProxy 1.6.3 and the ordering of ssl & verify in my configuration file. I'm not sure if this is truly a bug or a misunderstanding on my part.
We are attempting to set up HAProxy to load balance SSL-enabled servers, but aren't currently concerned with CA verification. The HAProxy config file is currently being auto-generated by interlock(https://github.com/ehazlett/interlock), a tool that marries Docker Swarm & HAProxy quite nicely. But I've verified the problem exists with self-built config files & a stock HAProxy 1.6.3 as well. In the following backend configuration section: backend cloud_dev http-response add-header X-Request-Start %Ts.%ms balance roundrobin server dev1 3.101.113.47:32777 check inter 5000 ssl sni req.hdr(Host) verify none I receive the following error output: [ALERT] 062/205826 (31) : Proxy 'cloud_dev', server 'dev1' [proxy.conf:40] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. [WARNING] 062/205826 (31) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear. [ALERT] 062/205826 (31) : Fatal errors found in configuration. If I adjust the configuration section to place "verify none" immediately after the ssl statement: backend cloud_dev http-response add-header X-Request-Start %Ts.%ms balance roundrobin server dev1 3.101.113.47:32777 check inter 5000 ssl verify none sni req.hdr(Host) things work as expected. It appears that the ordering of the ssl & verify options is important - but my reading of the docs indicates that this shouldn't be the case: http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#ssl%20(Server%20and%20default-server%20options) http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#sni I'm going to send a pull request to interlock to adjust the generated server configs, but wanted to check first to see if there is an underlying bug with the way HAProxy handles the configuration files that needed to be reported as well. See inline for a minimal configuration file that exhibits the bug - just move "verify none" to the end to see it work as expected. thanks, -- Owen Marshall Senior Cloud Technologist | GE Appliances Testcase: defaults mode http timeout connect 5000 timeout client 10000 timeout server 10000 frontend http-default bind *:80 acl test_dev hdr_beg(host) test.dev use_backend test_dev if test_dev backend test_dev balance roundrobin server dev1 127.0.0.1:12345 check inter 5000 ssl verify none sni req.hdr(Host)
