[PATCH 0/2] openssl 1.1 async mode and engine support

[Grant Zhang]

Hi list,

This is to request comments regarding the support of openssl 1.1 async mode and
async-capable engine.

openssl s_time utility is used to compare the performance:
#> openssl s_time -new -cipher ECDHE-RSA-AES128-GCM-SHA256 -nbio

With single haproxy process,
  software only: ~500 connections per second
  Intel QAT engine[1] and async mode on: ~2000 connections per second

Your feedback and comments are greatly appreciated.

Thanks,

Grant

[1] Intel QAT openssl engine: https://github.com/01org/QAT_Engine

Grant Zhang (2):
  RFC: add openssl engine support
  RFC: add openssl async support

 include/common/epoll.h |   2 +
 include/proto/fd.h |   8 +++
 include/proto/ssl_sock.h   |   2 +
 include/types/connection.h |   2 +
 include/types/fd.h |   1 +
 include/types/global.h |   2 +
 src/cfgparse.c |  31 ++
 src/ev_epoll.c |  11 
 src/fd.c   |  13 +
 src/haproxy.c  |   4 ++
 src/ssl_sock.c | 142 +
 11 files changed, 218 insertions(+)

-- 
1.9.1

[PATCH 2/2] RFC: add openssl async support

[Grant Zhang]

ssl_async is a global configuration parameter which enables asynchronous
processing in OPENSSL for all SSL connections haproxy handles. With
SSL_MODE_ASYNC mode set, TLS I/O operations may indicate a retry with
SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable
engine is used to perform cryptographic operations.
---
 include/common/epoll.h |   2 +
 include/proto/fd.h |   8 
 include/types/connection.h |   2 +
 include/types/fd.h |   1 +
 include/types/global.h |   1 +
 src/cfgparse.c |  10 +
 src/ev_epoll.c |  11 +
 src/fd.c   |  13 ++
 src/haproxy.c  |   1 +
 src/ssl_sock.c | 104 +
 10 files changed, 153 insertions(+)

diff --git a/include/common/epoll.h b/include/common/epoll.h
index cc395cd..dd1c7d6 100644
--- a/include/common/epoll.h
+++ b/include/common/epoll.h
@@ -70,6 +70,8 @@ struct epoll_event {
} data;
 };
 
+int remove_fd_from_epoll(int fd);
+
 #if defined(CONFIG_HAP_LINUX_VSYSCALL) && defined(__linux__) && 
defined(__i386__)
 /* Those are our self-defined functions */
 extern int epoll_create(int size);
diff --git a/include/proto/fd.h b/include/proto/fd.h
index 87309bf..922fee5 100644
--- a/include/proto/fd.h
+++ b/include/proto/fd.h
@@ -40,6 +40,7 @@ extern int fd_nbupdt;   // number of updates in 
the list
  * The file descriptor is also closed.
  */
 void fd_delete(int fd);
+void fd_async_delete(int fd);
 
 /* disable the specified poller */
 void disable_poller(const char *poller_name);
@@ -339,6 +340,13 @@ static inline void fd_insert(int fd)
maxfd = fd + 1;
 }
 
+/* Prepares async  for being polled */
+static inline void fd_async_insert(int fd)
+{
+   fdtab[fd].state = 0;
+   fdtab[fd].async = 1;
+   fd_insert(fd);
+}
 
 #endif /* _PROTO_FD_H */
 
diff --git a/include/types/connection.h b/include/types/connection.h
index 8b732ff..3233f25 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -288,6 +288,8 @@ struct connection {
struct sockaddr_storage from;   /* client address, or address 
to spoof when connecting to the server */
struct sockaddr_storage to; /* address reached by the 
client, or address to connect to */
} addr; /* addresses of the remote side, client for producer and server 
for consumer */
+
+   OSSL_ASYNC_FD async_fd;
 };
 
 /* proxy protocol v2 definitions */
diff --git a/include/types/fd.h b/include/types/fd.h
index 7f63093..f3d03f8 100644
--- a/include/types/fd.h
+++ b/include/types/fd.h
@@ -100,6 +100,7 @@ struct fdtab {
unsigned char updated:1; /* 1 if this fd is already in the 
update list */
unsigned char linger_risk:1; /* 1 if we must kill lingering 
before closing */
unsigned char cloned:1;  /* 1 if a cloned socket, requires 
EPOLL_CTL_DEL on close */
+   unsigned char async:1;   /* 1 if this fd is async ssl fd */
 };
 
 /* less often used information */
diff --git a/include/types/global.h b/include/types/global.h
index 9a6e2c9..37727b9 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -85,6 +85,7 @@ struct global {
char *crt_base; /* base directory path for certificates */
char *ca_base;  /* base directory path for CAs and CRLs */
char *ssl_engine;   /* openssl engine to use */
+   int ssl_async;  /* whether we use ssl async mode */
 #endif
int uid;
int gid;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index f8ad855..7eb0593 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -652,6 +652,16 @@ int cfg_parse_global(const char *file, int linenum, char 
**args, int kwm)
goto out;
 #endif
}
+   else if (!strcmp(args[0], "ssl_async")) {
+#ifdef USE_OPENSSL
+   global.ssl_async = 1;
+   qfprintf(stdout, "parsing [%s:%d] : turns on SSL async 
mode.\n", file, linenum);
+#else
+   Alert("parsing [%s:%d] : ssl_async is not implemented.\n", 
file, linenum);
+   err_code |= ERR_ALERT | ERR_FATAL;
+   goto out;
+#endif
+   }
else if (!strcmp(args[0], "daemon")) {
if (alertif_too_many_args(0, file, linenum, args, _code))
goto out;
diff --git a/src/ev_epoll.c b/src/ev_epoll.c
index ccb7c33..27d630e 100644
--- a/src/ev_epoll.c
+++ b/src/ev_epoll.c
@@ -41,6 +41,17 @@ static struct epoll_event ev;
 #define EPOLLRDHUP 0x2000
 #endif
 
+int remove_fd_from_epoll(int fd)
+{
+   struct epoll_event ee;
+   int ret;
+
+   ee.events = 0;
+   ee.data.ptr = NULL;
+   ret = epoll_ctl(epoll_fd, EPOLL_CTL_DEL, fd, );
+   return ret;
+}
+
 /*
  * Immediately remove file descriptor from epoll set upon close.
  * Since we forked, some fds share inodes with the other process, and 

[PATCH 1/2] RFC: add openssl engine support

[Grant Zhang]

Global configuration parameter "ssl_engine" may be used to specify
openssl engine.
---
 include/proto/ssl_sock.h |  2 ++
 include/types/global.h   |  1 +
 src/cfgparse.c   | 21 +
 src/haproxy.c|  3 +++
 src/ssl_sock.c   | 38 ++
 5 files changed, 65 insertions(+)

diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index cb9a1e9..18c220b 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -76,6 +76,8 @@ SSL_CTX *ssl_sock_get_generated_cert(unsigned int key, struct 
bind_conf *bind_co
 int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct 
bind_conf *bind_conf);
 unsigned int ssl_sock_generated_cert_key(const void *data, size_t len);
 
+void ssl_init_engine(const char *engine_id);
+
 #endif /* _PROTO_SSL_SOCK_H */
 
 /*
diff --git a/include/types/global.h b/include/types/global.h
index b32a09f..9a6e2c9 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -84,6 +84,7 @@ struct global {
 #ifdef USE_OPENSSL
char *crt_base; /* base directory path for certificates */
char *ca_base;  /* base directory path for CAs and CRLs */
+   char *ssl_engine;   /* openssl engine to use */
 #endif
int uid;
int gid;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index ec8f6a1..f8ad855 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -589,6 +589,27 @@ int cfg_parse_global(const char *file, int linenum, char 
**args, int kwm)
alertif_too_many_args(0, file, linenum, args, _code);
goto out;
}
+   else if (!strcmp(args[0], "ssl_engine")) {
+#ifdef USE_OPENSSL
+   if (global.ssl_engine != NULL) {
+   Alert("parsing [%s:%d] : '%s' already specified. 
Continuing.\n", file, linenum, args[0]);
+   err_code |= ERR_ALERT;
+   goto out;
+   }
+   if (*(args[1]) == 0) {
+   Alert("parsing [%s:%d] : '%s' expects a valid engine 
name as an argument.\n", file, linenum, args[0]);
+   err_code |= ERR_ALERT | ERR_FATAL;
+   goto out;
+   }
+   qfprintf(stdout, "parsing [%s:%d] : set ssl_engine to '%s'.\n", 
file, linenum, args[1]);
+   global.ssl_engine = strdup(args[1]);
+   ssl_init_engine(global.ssl_engine);
+#else
+   Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, 
linenum, args[0]);
+   err_code |= ERR_ALERT | ERR_FATAL;
+   goto out;
+#endif
+   }
else if (!strcmp(args[0], "ca-base")) {
 #ifdef USE_OPENSSL
if(alertif_too_many_args(1, file, linenum, args, _code))
diff --git a/src/haproxy.c b/src/haproxy.c
index 5d7d410..69a4551 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1656,6 +1656,9 @@ void deinit(void)
ha_wurfl_deinit();
 #endif
 
+#ifdef USE_OPENSSL
+   free(global.ssl_engine);global.ssl_engine = NULL;
+#endif
free(global.log_send_hostname); global.log_send_hostname = NULL;
chunk_destroy(_tag);
free(global.chroot);  global.chroot = NULL;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index baaa0a1..0b3cee5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -56,6 +56,8 @@
 #include 
 #include 
 
+#include 
+
 #include 
 #include 
 #include 
@@ -228,6 +230,42 @@ static forceinline void ssl_sock_dump_errors(struct 
connection *conn)
}
 }
 
+static ENGINE *engine;
+
+void ssl_init_engine(const char *engine_id)
+{
+   OpenSSL_add_all_algorithms();
+   ENGINE_load_builtin_engines();
+   RAND_set_rand_method(NULL);
+
+   /* grab the structural reference to the engine */
+   engine = ENGINE_by_id(engine_id);
+   if (engine  == NULL) {
+   Alert("Engine %s: failed to get structural reference\n", 
engine_id);
+   exit(-1);
+   }
+
+   if (!ENGINE_init(engine)) {
+   /* the engine couldn't initialise, release it */
+   Alert("Engine %s: failed to initialize\n", engine_id);
+   ENGINE_free(engine);
+   return;
+   }
+
+   if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
+   Alert("Engine %s: ENGINE_set_default failed\n", engine_id);
+   ENGINE_finish(engine);
+   ENGINE_free(engine);
+   return;
+   }
+
+   /* release the functional reference from ENGINE_init() */
+   ENGINE_finish(engine);
+
+   /* release the structural reference from ENGINE_by_id() */
+   ENGINE_free(engine);
+}
+
 /*
  *  This function returns the number of seconds  elapsed
  *  since the Epoch, 1970-01-01 00:00:00 + (UTC) and the
-- 
1.9.1

Re: Reverse proxy settings

[Thierry]

Title: Re: Reverse proxy settings


Bonjour Aaron,

I have modified  it, now I do  have:
This is  now working :)

Thx a lot ...

Le vendredi 13 janvier 2017 à 20:18:13, vous écriviez :





Hi Thierry,

You need to add "ssl" to the server line, probably "ssl verify none" if you don't need it to check validity of the backend cert.

So :

backend https-in
        mode http
        option  httplog
        option forwardfor
        http-request set-header X-Forwarded-Port  %[dst_port]
        http-request  add-header X-Forwarded-Proto https if { ssl_fc }
        option httpchk HEAD /HTTP/1.1\r\nHost:localhost
        option http-server-close
        server node0 ip_web_server:443 ssl verify none

Aaron West

Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org





-- 
Cordialement,
 Thierry                            e-mail : lenai...@maelenn.org

Re: Reverse proxy settings

[Aaron West]

Hi Thierry,

You need to add "ssl" to the server line, probably "ssl verify none" if you
don't need it to check validity of the backend cert.

So :

backend https-in
mode http
option  httplog
option forwardfor
http-request set-header X-Forwarded-Port  %[dst_port]
http-request  add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /HTTP/1.1\r\nHost:localhost
option http-server-close
server node0 ip_web_server:443 ssl verify none

Aaron West

Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org

Reverse proxy settings

[Thierry]

Hi,

Still me working around ...
The  main   target  is   to  send HTTPS request through my web server 
using the HAproxy as frontend.
My web server only accept HTTPS (443) requests.

My HAproxy config:

 Web Server Config  

frontend https-in
mode http
bind :443 ssl crt /etc/ssl/private/full_certs.crt
option  httplog
default_backend https-in

backend https-in
mode http
option  httplog
option forwardfor
http-request set-header X-Forwarded-Port  %[dst_port]
http-request  add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /HTTP/1.1\r\nHost:localhost
option http-server-close
server node0 ip_web_server:443



When  browsing:   

Bad request
Your browser sent a request  that this server could 
not understand. Reason: You are speaking plain HTTP to an SSL-enabled 
server port.Instead use the HTTPS scheme to  access this  URL. Please.

Thx for your support.

-- 
Cordialement,
 Thierry  e-mail : lenai...@maelenn.org  
 PGP Key: 0xB7E3B9CD

Re: HTTP 429 Too Many Requests (tarpit deny_status)

[Jarno Huuskonen]

Hello,

On Fri, Jun 24, James Brown wrote:
> +1 I am also using a fake backend with no servers and a 503 errorfile, and
> it confuses everybody who looks at the config or the metrics. Being able to
> directly emit a 429 would be fantastic.

This is my first attempt in adding deny_status to:
http-request tarpit [deny_status ]

First patch updates parse_http_req_cond so config parser accepts
[deny_status ] for http-request tarpit (and sets
rule->deny_status).

The second patch updates http_process_req_common/http_process_tarpit to
use deny_status. http_process_tarpit has a switch statement for mapping
txn->status (200<->504) to HTTP_ERR_(enum). Is this reasonable ?

Do tarpitted (http-request tarpit / req(i)tarpit) requests always
go thru http_process_req_common (so txn->status is always set to
txn->status = http_err_codes[deny_status]) ?
Or is there a possibility that int deny_status could be overwritten
in http_process_req_common (with multiple deny/block/tarpit rules) ?

Both patches are against 1.7.1, but if this looks otherwise ok then
I can modify the patches against 1.8dev and add missing documentation.

I've used this minimal config for testing:
(missing defaults/global):
frontend test
bind ipv4@127.0.0.1:8080
http-request tarpit deny_status 429 if TRUE
default_backend test_be

frontend test2
bind ipv4@127.0.0.1:8081
http-request tarpit if TRUE
default_backend test_be

frontend test3
bind ipv4@127.0.0.1:8082
reqtarpit . if TRUE
default_backend test_be

backend test_be
server dummy 127.0.0.1:80 id 1

curl -v http://127.0.0.1:8080 should be tarpitted with status 429
and curl -v http://127.0.0.1:8081 (and :8082) with 500.

-Jarno

-- 
Jarno Huuskonen
>From 3f82309f1b96330ac75bc53a35b683cdc41ab61d Mon Sep 17 00:00:00 2001
From: Jarno Huuskonen 
Date: Mon, 26 Dec 2016 13:47:30 +0200
Subject: [PATCH] parse_http_req_cond: parse deny_status code for http-request
 tarpit.
To: haproxy@formilux.org
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

---
 src/proto_http.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/proto_http.c b/src/proto_http.c
index aa8d997..dce1ac7 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -9007,11 +9007,15 @@ struct act_rule *parse_http_req_cond(const char **args, 
const char *file, int li
if (!strcmp(args[0], "allow")) {
rule->action = ACT_ACTION_ALLOW;
cur_arg = 1;
-   } else if (!strcmp(args[0], "deny") || !strcmp(args[0], "block")) {
+   } else if (!strcmp(args[0], "deny") || !strcmp(args[0], "block") || 
!strcmp(args[0], "tarpit")) {
int code;
int hc;
 
rule->action = ACT_ACTION_DENY;
+   if (!strcmp(args[0], "tarpit")) {
+   rule->action = ACT_HTTP_REQ_TARPIT;
+   rule->deny_status = HTTP_ERR_500;
+   }
cur_arg = 1;
 if (strcmp(args[cur_arg], "deny_status") == 0) {
 cur_arg++;
@@ -9031,13 +9035,10 @@ struct act_rule *parse_http_req_cond(const char **args, 
const char *file, int li
 }
 
 if (hc >= HTTP_ERR_SIZE) {
-Warning("parsing [%s:%d] : status code %d not 
handled, using default code 403.\n",
-file, linenum, code);
+Warning("parsing [%s:%d] : status code %d not 
handled, using default code %d.\n",
+file, linenum, code, rule->action == 
ACT_ACTION_DENY ? 403: 500);
 }
 }
-   } else if (!strcmp(args[0], "tarpit")) {
-   rule->action = ACT_HTTP_REQ_TARPIT;
-   cur_arg = 1;
} else if (!strcmp(args[0], "auth")) {
rule->action = ACT_HTTP_REQ_AUTH;
cur_arg = 1;
-- 
1.8.3.1

>From 25b5e0993e3be2af34b0c3c4957e7ddbae50b8f3 Mon Sep 17 00:00:00 2001
From: Jarno Huuskonen 
Date: Sun, 1 Jan 2017 12:16:44 +0200
Subject: [PATCH] http_process_tarpit: add deny_status code/message.
To: haproxy@formilux.org
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

---
 src/proto_http.c | 48 
 1 file changed, 44 insertions(+), 4 deletions(-)

diff --git a/src/proto_http.c b/src/proto_http.c
index dce1ac7..63277e3 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -4347,8 +4347,10 @@ int http_process_req_common(struct stream *s, struct 
channel *req, int an_bit, s
if (txn->flags & TX_CLDENY)
goto deny;
 
-   if (txn->flags & TX_CLTARPIT)
+   if (txn->flags & TX_CLTARPIT) {
+   deny_status = HTTP_ERR_500;
goto tarpit;
+   }
 

[PATCH] BUILD: ssl: fix to build (again) with boringssl

[Emmanuel Hocdet]

for 1.8dev



0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch
Description: Binary data

Re: [PATCH] BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL

[Emmanuel Hocdet]

> Le 11 janv. 2017 à 11:56, Willy Tarreau  a écrit :
> 
> Merged in 1.8, thanks Manu. It looks valid even for previous versions
> by the way though not having it there doesn't seem to cause any impact.
> Thus I'll let it cook there and if someone finds a valid reason for
> backporting it we'll do it later.

Indeed. It’s a cleanup for current openssl versions.

Re: How can I change the URI when forwarding to a server

[Jürgen Haas]

> You’re looking for http-request with set-uri or set-path +
> set-query: 
> https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4..2-http-request
> 
> 
> -Bryan

This is exactly what I was looking for, thanks a lot.

Jürgen

Re: Add agent-host configuration directive and allow changing it and agent-send via socket/CLI

[Willy Tarreau]

Hi Michal,

On Mon, Jan 09, 2017 at 02:00:19PM +0100, Micha?? wrote:
> Hello!
> It's my first PR to haproxy, so please tell me if anything still wrong.
> I've read CONTRIBUTING.
> 
> This patches implements possiblity to define different host (agent-host) for
> agent checks in config and they also allow changing agent-host and
> agent-send
> variables via CLI/socket. We wonna use this options to dynamically swap
> backends
> without reloading haproxy. agent-host will allow us to control weight and
> status
> of servers from single place, so we can enable server when it's ready
> (warmed)
> instead just after healthcheck passing.

I remember a recent discussion on this subject, I don't remember if it was
here on the list or with Baptiste or someone else, but that's definitely
welcome!

> I think this change isn't touching any
> hot paths and will find adopters,

I think it will be useful to make it easier to control server statuses from
a central place.

> because reloading haproxy with all SSL stuff
> and losing statstics for less dynamic backends is pain.
> 
> In my opinion changes in code don't require any comments. I documented those
> features of course, so everyone can use them.

Indeed, however a short description of the changes in the commit messages 
would help. Please keep in mind that merged patches are review again later :
  - when backporting fixes and the rare few minor improvements
  - when bisecting to find the cause of a bug.

In this case it's really important that all the useful information is
visible in the git log to help take the appropriate decision (eg: backport
yes/no, or this is totally unrelated to my problem).

I'd personally prefer if the "agent-host" was renamed to "agent-addr" to
be more consistent with the "addr" parameter we already have for the
checks and which is used at a few places on the CLI. Also in the HTTP
world, "host" is a bit connoted as the string found in the header field
carrying the same name :-)

Otherwise your changes look fine, I'm willing to merge them, I don't
see any risk there.

Thanks!
Willy

Re: [PATCH] BUG/MINOR: stream: Fix how backend-specific analyzers are set, on a stream

[Willy Tarreau]

On Thu, Jan 12, 2017 at 05:14:53PM +0100, Willy Tarreau wrote:
> Christopher,
> 
> I suspect that below you spotted a deeper bug which probably also affects
> older versions :

After your explanation I've merged it now and added it to 1.7.

Thanks,
Willy

Re: [DEV] ssl bind_conf per certificat

[Willy Tarreau]

Hi Manu,

On Fri, Jan 13, 2017 at 11:01:14AM +0100, Emmanuel Hocdet wrote:
> 
> This patch implement the ssl bind configuration per certificat.
> It???s for 1.8dev.

Now applied with Emeric's blessing, thanks!

Willy

Re: [DEV] ssl bind_conf per certificat

[Willy Tarreau]

On Fri, Jan 13, 2017 at 11:07:02AM +0100, Emmanuel Hocdet wrote:
> 
> This patch implement ???curves??? ssl parameter for bind and crt-list.
> It???s for 1.8dev.

Applied as well, thanks!
Willy

Re: [DEV] ssl bind_conf per certificat

[Emmanuel Hocdet]

This patch implement ‘curves’ ssl parameter for bind and crt-list.It’s for 1.8dev.

0001-MINOR-ssl-add-curve-suite-for-ECDHE-negotiation.patch
Description: Binary data
Le 13 janv. 2017 à 11:01, Emmanuel Hocdet  a écrit :This patch implement the ssl bind configuration per certificat.It’s for 1.8dev.for example:haproxy.cfg:    bind :443 ssl strict-sni crt-list /etc/haproxy/crtlist.cfgcrtlist.cfg:mycert.pem  [alpn h2,http/1.1]  h2.mydom.netmycert.pem  [verify required ca-file ca-admin.pem]   admin.mydom.netmycert.pem         # legacy ssl for all others SNI find in CN/SAN in mycert.pemothercert.pem   [alpn http/1.1]<0001-MAJOR-ssl-bind-configuration-per-certificat.patch>

Re: [DEV] ssl bind_conf per certificat

[Emmanuel Hocdet]

This patch implement the ssl bind configuration per certificat.It’s for 1.8dev.for example:haproxy.cfg:    bind :443 ssl strict-sni crt-list /etc/haproxy/crtlist.cfgcrtlist.cfg:mycert.pem  [alpn h2,http/1.1]  h2.mydom.netmycert.pem  [verify required ca-file ca-admin.pem]   admin.mydom.netmycert.pem         # legacy ssl for all others SNI find in CN/SAN in mycert.pemothercert.pem   [alpn http/1.1]

0001-MAJOR-ssl-bind-configuration-per-certificat.patch
Description: Binary data