Hi Fred, > Le 21 mars 2017 à 23:14, Willy Tarreau <w...@1wt.eu> a écrit : > On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote: >> Hello HAProxy ML, >> >> I am starting this new thread to publish a serie of patches to make >> all "server" settings be supported on "default-server" lines. >> >> This is a preliminary work for "server templates" feature. >> >> New boolean settings have been added to disable others. Most of them >> have "no-" as prefix. > (...) > > Wow I didn't realize you had already done all this! That's really cool! >
I agree :) >> Here is an exhaustive list: > (...) >> "sslv2" disables "no-sslv3", >> "ssl-reuse" disables "no-ssl-reuse", >> "stick" disables "non-stick", >> "tlsv10" disables "no-tlsv10", >> "tlsv11" disables "no-tlsv11", >> "tlsv12" disables "no-tlsv12", >> "tls-tickets" disables "no-tls-tickets". > > Hmmm I hadn't thought about these ones, I suspect they'll cause more > confusion than anything else, especially given that the "tlsv11" above > cancelling "no-tlsv11" is not the same as "force-tlsv11". We need to > discuss this with Emeric, he's already scratching his head around these > ones without these double negations, he will hate us now :-) > I have patches sent in the ML who change the internal implementation of no/force-tlsxx and add min/max-tlsxx (who can replace no/force usage). It could simplify (or not) what you want to do, but there will be an impact on your patches if they are accepted. ++ Manu