Hi,
Op 5-3-2018 om 19:25 schreef Willy Tarreau:
Hello Aurélien,
On Mon, Mar 05, 2018 at 03:34:11PM +0100, Aurélien Nephtali wrote:
Hello,
I'm working on a feature to add or delete SSL certificates without
reloading HAProxy and I'm facing a problem regarding the way to feed
the new certificates to the admin socket.
The certificates contain \n so the parser will trip on them and
incorrectly process the command.
Those are my ideas so far:
- base64 the certificate content,
- add a binary protocol to the socket to handle this special case
(intrusive, not the best idea),
- add support for quotes.
(some months ago there was also an idea in
https://www.mail-archive.com/haproxy@formilux.org/msg23857.html)
What would be the best/upstreamable way to do ?
I tend to think (first idea out of my head) that for such file types,
we could very well consider that the command reads multiple lines and
stops at the first empty line. That's very convenient to use in scripts
and even by hand in copy-paste sessions. It would work with almost all
of the data types we have to feed via the CLI, including the maps/acls.
And a script writing there would just have to run grep -v "^$" to be
save, which is pretty easy.
In fact that's already the format used for the output : the output of
each command is defined as running till the first empty line.
I also thought about escaping end of lines with a backslash but that
becomes very painful to place in scripts.
Just my two cents, I'm also interested in people's ideas regarding this.
Thanks,
Willy
I would think the ocsp updates already does something similar with
base64. That would be usable for other binary files as well.?. Though i
guess .pem is kinda readable already and not a binary file.. Unless
perhaps support for pfx files would get added some day.?. afaik those
are in binary format..
root@server:/etc/haproxy# echo "set ssl ocsp-response $(/usr/bin/base64
-w 10000 /etc/haproxy/star_mydomain_com.crt.ocsp)" | socat stdio
unix-connect:/run/haproxy/admin.sock
OCSP Response updated!
Not that i have a strong preference, but imho it would be nice to keep
the way to call similar commands the the same.
Regards,
PiBa-NL (Pieter)
