On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet <m...@gandi.net> wrote:
> In haproxy 1.8dev, default certificate can now be optional.
> This patch allow that.
>
Thanks Manu for looking into this.
Here is my use-case:
1. A "frontend" would bind on port 80 and then look whether a request
is from Letsencrypt (URL: ~/.well-known/..). That is, an "http-01"
challenge request.
If so, it would forward the connection to a backend that deals with
certificates (that backend initiated this request in the first place).
If it is not an "http-01" challenge request, then it would redirect to https.
2. Another frontend would bind to port 443, and the "bind" line would
have a new keyword like "disable-if-no-certs".
If there are no certs yet installed, haproxy would cancel out the
whole frontend for port 443 and would not bind port 443.
Ideally, this would be implemented cleanly if there was a way to simply specify
use_frontend myhttps if { ssl_certs_exist }
Also, we could then specify to redirect to https (first frontend
earlier ) if { ssl_certs_exist }.
For this to work, it would require:
1. Addition of keyboard "use_frontend", just like "use_backend" exists.
2. HAProxy should set "ssl_certs_exist" when it loads up, depending on
whether certificates have been found or not.
Simos
>
>> Le 29 mai 2017 à 11:09, Emmanuel Hocdet <m...@gandi.net> a écrit :
>>
>>
>> Hi Simos,
>>
>> The workaround is to have a default (fake) certificat in first and use «
>> strict-sni » parameter.
>>
>> Manu
>>
>>> Le 22 mai 2017 à 10:28, Simos Xenitellis <simos.li...@googlemail.com> a
>>> écrit :
>>>
>>> Hi All,
>>>
>>> I am trying to automate some tasks with adding multiple https
>>> (LetsEncrypt) websites,
>>> and using HAProxy as a TLS Termination Proxy.
>>>
>>> The problem is that when you start off with an empty server, there are
>>> no certificates yet,
>>> and it is not possible to have "bind *:443 ssl crt
>>> /etc/haproxy/certs/..." in haproxy.cfg.
>>>
>>> LetsEncrypt can work with http, so it could easily use the "bind *:80"
>>> front-end in the beginning.
>>>
>>> Is there a way to express "If no certificates are found in
>>> /etc/haproxy/certs/, then do not bind *:443"?
>>>
>>> Simos
>>>
>>
>
>
