Am Fr., 17. Mai 2019 um 21:15 Uhr schrieb Tim Düsterhus <t...@bastelstu.be>: > > Willy, > > Am 23.12.18 um 21:20 schrieb Moemen MHEDHBI: > > Hi, > > > > The attached patch adds the ssl_sni_check converter which returns true > > if the sample input string matches a loaded certificate's CN/SAN. > > > > This can be useful to check for example if a host header matches a > > loaded certificate CN/SAN before doing a redirect: > > > > frontent fe_main > > bind 127.0.0.1:80 > > bind 127.0.0.1:443 ssl crt /etc/haproxy/ssl/ > > http-request redirect scheme https if !{ ssl_fc } { > > hdr(host),ssl_sni_check() } > > > > > > This converter may be even more useful when certificates will be > > added/removed at runtime. > > > > This email serves to bump the patch which appears to have slipped > through the cracks. For the context see the "Re: Host header and sni > extension differ" thread. > > Best regards > Tim Düsterhus >
Definitely thumbs up for this converter. I've implemented on-the-fly certificate generation for HAProxy with the help of Lua. The converter would help me to reduce or simplify parts of the code and could possible improve performance. ---------------------------------------------------------------- Best regards / Mit freundlichen Grüßen Bjoern