Le 11/29/21 à 09:56, Christian Ruppert a écrit :
Hey,we have something like: server maint 192.168.70.98:80 weight 1 backup non-stick default-server check maxconn 100 ssl verify required sni str(somestr) ca-file /etc/ssl/certs/ca-certificates.crt observe layer7 server s200010 192.168.200.10:8443 cookie somecookie weight 100 check addr 127.0.0.1 port 62041 check inter 10000 fall 2 rise 2 ... In 2.2 (2.2.17) it is totally valid and the stats say the "maint" is still "no check". In 2.4.9 the config verify fails. In 2.2 it seems to only affects server's below default-server. [ALERT] (23456) : Proxy '...', server 'maint' [/etc/haproxy/haproxy.cfg:104096] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. We're using templates and share the maint server with several hundred other listeners/backends. Only 5 are using a config like this here, with SSL and verify. Another problem here seems: "verify is enabled by default but no CA file specified" while in fact it is? Is this intended?
Indeed. The change was introduced by the commit f63704488e ("MEDIUM: cli/ssl: configure ssl on server at runtime"). During the post-parsing stage, when the configuration is validated, we rely on the last "default-server" line parsed in the backend section to finalize the SSL configuration of servers in this backend. It is of course a bug. We may probably rely on a flag instead. I'll investigate.
Thanks ! -- Christopher Faulet
