Re: Haproxy client ip

2018-06-25 Thread Simos Xenitellis 
On Sat, Jun 23, 2018 at 1:43 AM, Daniel Augusto Esteves
 wrote:
> Hi
>
> I am setting up haproxy with keepalived and i need to know if is possible
> pass client ip for destination log server using haproxy in tcp mode?
>

That can be done with the "proxy protocol". See more at
https://www.haproxy.com/blog/haproxy/proxy-protocol/

Simos

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-06-15 Thread Simos Xenitellis 
On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet <m...@gandi.net> wrote:
> In haproxy 1.8dev, default certificate can now be optional.
> This patch allow that.
>

Thanks Manu for looking into this.

Here is my use-case:

1. A "frontend" would bind on port 80 and then look whether a request
is from Letsencrypt (URL: ~/.well-known/..). That is, an "http-01"
challenge request.
If so, it would forward the connection to a backend that deals with
certificates (that backend initiated this request in the first place).
If it is not an "http-01" challenge request, then it would redirect to https.

2. Another frontend would bind to port 443, and the "bind" line would
have a new keyword like "disable-if-no-certs".
If there are no certs yet installed, haproxy would cancel out the
whole frontend for port 443 and would not bind port 443.


Ideally, this would be implemented cleanly if there was a way to simply specify

use_frontend myhttps if { ssl_certs_exist }

Also, we could then specify to redirect to https (first frontend
earlier ) if { ssl_certs_exist }.


For this to work, it would require:

1. Addition of keyboard "use_frontend", just like "use_backend" exists.
2. HAProxy should set "ssl_certs_exist" when it loads up, depending on
whether certificates have been found or not.

Simos


>
>> Le 29 mai 2017 à 11:09, Emmanuel Hocdet <m...@gandi.net> a écrit :
>>
>>
>> Hi Simos,
>>
>> The workaround is to have a default (fake) certificat in first and use « 
>> strict-sni » parameter.
>>
>> Manu
>>
>>> Le 22 mai 2017 à 10:28, Simos Xenitellis <simos.li...@googlemail.com> a 
>>> écrit :
>>>
>>> Hi All,
>>>
>>> I am trying to automate some tasks with adding multiple https
>>> (LetsEncrypt) websites,
>>> and using HAProxy as a TLS Termination Proxy.
>>>
>>> The problem is that when you start off with an empty server, there are
>>> no certificates yet,
>>> and it is not possible to have "bind *:443 ssl crt
>>> /etc/haproxy/certs/..." in haproxy.cfg.
>>>
>>> LetsEncrypt can work with http, so it could easily use the "bind *:80"
>>> front-end in the beginning.
>>>
>>> Is there a way to express "If no certificates are found in
>>> /etc/haproxy/certs/, then do not bind *:443"?
>>>
>>> Simos
>>>
>>
>
>

Is it possible to disable SSL if not certificates are found?

2017-05-22 Thread Simos Xenitellis 
Hi All,

I am trying to automate some tasks with adding multiple https
(LetsEncrypt) websites,
and using HAProxy as a TLS Termination Proxy.

The problem is that when you start off with an empty server, there are
no certificates yet,
and it is not possible to have "bind *:443 ssl crt
/etc/haproxy/certs/..." in haproxy.cfg.

LetsEncrypt can work with http, so it could easily use the "bind *:80"
front-end in the beginning.

Is there a way to express "If no certificates are found in
/etc/haproxy/certs/, then do not bind *:443"?

Simos