Am Fr., 17. Mai 2019 um 21:15 Uhr schrieb Tim Düsterhus <t...@bastelstu.be>:
>
> Willy,
>
> Am 23.12.18 um 21:20 schrieb Moemen MHEDHBI:
> > Hi,
> >
> > The attached patch adds the ssl_sni_check converter which returns true
> > if the sample input string matches a loaded certificate's CN/SAN.
> >
> > This can be useful to check for example if a host header matches a
> > loaded certificate CN/SAN before doing a redirect:
> >
> > frontent fe_main
> > bind 127.0.0.1:80
> > bind 127.0.0.1:443 ssl crt /etc/haproxy/ssl/
> > http-request redirect scheme https if !{ ssl_fc } {
> > hdr(host),ssl_sni_check() }
> >
> >
> > This converter may be even more useful when certificates will be
> > added/removed at runtime.
> >
>
> This email serves to bump the patch which appears to have slipped
> through the cracks. For the context see the "Re: Host header and sni
> extension differ" thread.
>
> Best regards
> Tim Düsterhus
>
Definitely thumbs up for this converter. I've implemented on-the-fly
certificate generation for HAProxy with the help of Lua. The converter
would help me to reduce or simplify parts of the code and could
possible improve performance.
----------------------------------------------------------------
Best regards / Mit freundlichen Grüßen
Bjoern
