Thanks again Lukas! So the server directive's use of a cert or CA file is only to verify the identity of the server in question. So the SSL crt speciied in the frontend, does that secure only the connection to Haproxy or is it passed-through to the server connection as well? I might be misunderstanding how this part of Haproxy works fundamentally...
On 11/3/21, 4:49 AM, "Lukas Tribus" <[email protected]> wrote: Hello Ben, On Wed, 3 Nov 2021 at 03:54, Ben Hart <[email protected]> wrote: > > I wonder, can I ask if the server directives are correct insofar as > making a secured connection to the backend server entries? > > I'm told that HAP might be connecting by IP in which case the > SSL cert would be useless The documentation of the verify keyword in the server section clarifies this: http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#5.2-verify "The certificate provided by the server is verified using CAs from 'ca-file' and optional CRLs from 'crl-file' after having checked that the names provided in the certificate's subject and subjectAlternateNames attributes match either the name passed using the "sni" directive, or if not provided, the static host name passed using the "verifyhost" directive. When no name is found, the certificate's names are ignored. For this reason, without SNI it's important to use "verifyhost". Lukas
