> Le 15 juin 2017 à 16:42, Simos Xenitellis <simos.li...@googlemail.com> a > écrit : > > On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet <m...@gandi.net> wrote: >> In haproxy 1.8dev, default certificate can now be optional. >> This patch allow that. >> > > Thanks Manu for looking into this. > > Here is my use-case: > > 1. A "frontend" would bind on port 80 and then look whether a request > is from Letsencrypt (URL: ~/.well-known/..). That is, an "http-01" > challenge request. > If so, it would forward the connection to a backend that deals with > certificates (that backend initiated this request in the first place). > If it is not an "http-01" challenge request, then it would redirect to https. > > 2. Another frontend would bind to port 443, and the "bind" line would > have a new keyword like "disable-if-no-certs". > If there are no certs yet installed, haproxy would cancel out the > whole frontend for port 443 and would not bind port 443. > > > Ideally, this would be implemented cleanly if there was a way to simply > specify > > use_frontend myhttps if { ssl_certs_exist } > > Also, we could then specify to redirect to https (first frontend > earlier ) if { ssl_certs_exist }. >
with this patch you will not need such complicated needs. just do: bind :443 ssl strict-sni crt /my/cert/directory/ without this patch you need to have at least one certificate (fake or not) > > For this to work, it would require: > > 1. Addition of keyboard "use_frontend", just like "use_backend" exists. > 2. HAProxy should set "ssl_certs_exist" when it loads up, depending on > whether certificates have been found or not. > > Simos > > >> >>> Le 29 mai 2017 à 11:09, Emmanuel Hocdet <m...@gandi.net> a écrit : >>> >>> >>> Hi Simos, >>> >>> The workaround is to have a default (fake) certificat in first and use « >>> strict-sni » parameter. >>> >>> Manu >>> >>>> Le 22 mai 2017 à 10:28, Simos Xenitellis <simos.li...@googlemail.com> a >>>> écrit : >>>> >>>> Hi All, >>>> >>>> I am trying to automate some tasks with adding multiple https >>>> (LetsEncrypt) websites, >>>> and using HAProxy as a TLS Termination Proxy. >>>> >>>> The problem is that when you start off with an empty server, there are >>>> no certificates yet, >>>> and it is not possible to have "bind *:443 ssl crt >>>> /etc/haproxy/certs/..." in haproxy.cfg. >>>> >>>> LetsEncrypt can work with http, so it could easily use the "bind *:80" >>>> front-end in the beginning. >>>> >>>> Is there a way to express "If no certificates are found in >>>> /etc/haproxy/certs/, then do not bind *:443"? >>>> >>>> Simos >>>> >>> >> >>