Hello Ben,
On Wed, 3 Nov 2021 at 12:55, Ben Hart <[email protected]> wrote:
>
> Thanks again Lukas!
> So the server directive's use of a cert or CA file is only to
> verify the identity of the server in question.
No, "crt" (a certificate including private key) and "ca-file" (the
public certificate of a CA) are two completely different things (see
below).
> So the SSL crt speciied in the frontend, does that secure only the connection
> to Haproxy
"Secure" is the wrong word. It authenticates the server to the far end
client connecting to port 443 on haproxy. It has nothing to do with
backend traffic.
>or is it passed-through to the server connection as well? I might be
>misunderstanding how this part of Haproxy works fundamentally...
No, there is nothing passing-through to the backend/backend-servers.
CA (as in "ca-file") means Certificate authority (a public key of the
CA certificate), and it is required to verify the certificate on the
other side:
- for the frontend this is required when you are using client
certificate authentication (you are not)
- for the backend this means that this CA is used to verify the
servers certificate
Certificate (as in "crt") is a certificate including a private key,
and is therefor for the *local* certificate:
- for the frontend this is about the standard server certificate that
haproxy responds with on port 443 (the classic SSL configuration)
- for the backend, this is about the case when you need haproxy to
authenticate with a "client" certificate (in this case, haproxy is the
client) against the backend server
In your case, only a certificate ("crt") on the frontend, and a CA
("ca-file") on the backend is necessary, as you are not using mutual
SSL certificate authentication.
Lukas
