First and foremost, thank you very much for developing opnsense and it's plugins and making it available to the general public.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
[x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
[x] I have searched the existing issues and I'm convinced that mine is new.
[x] The title contains the plugin to which this issue belongs
Describe the bug
I noticed the issue on
os-haproxy: 2.20,haproxy: 2.0.13 andopnsense: 20.1.2.
For me, this is a "first attempt" at using the haproxy plugin, I do not know if the issue is present on other versions or not.
The use case is as such: Backends (here k8s api server) expose a port (6443) with https. The haproxy should not terminate https, but pass TCP through. The health-check, however, should be http(s) and verify the certificate against a non-public CA.
When in "Real Server -> Edit Server" the checkbox "Verify SSL Certificate" is selected and a the corresponding CA is given at "SSL Verify CA", the verify required ca-file clause is not rendered into haproxy,conf unless the checkbox "SSL" is ticked.
When the "SSL"-checkbox is ticked, SSL is terminated at the haproxy instance.
Manually inserting the "Option pass-through" verify required ca-file /etc/ssl/cert.pem renders haproxy.conf correctly.
To Reproduce
cf. above
Expected behavior
Naively, I would expect "Verify SSL Certificate" to have an effect even when haproxy is meant to pass TCP through, as I monkey-patched into the haproxy.conf (ab?)using "Options pass-through".
In any case, thank you very much for your effort and your concern. Cheers
First and foremost, thank you very much for developing opnsense and it's plugins and making it available to the general public.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
[x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
[x] I have searched the existing issues and I'm convinced that mine is new.
[x] The title contains the plugin to which this issue belongs
Describe the bug
I noticed the issue on
os-haproxy: 2.20,haproxy: 2.0.13andopnsense: 20.1.2.For me, this is a "first attempt" at using the haproxy plugin, I do not know if the issue is present on other versions or not.
The use case is as such: Backends (here k8s api server) expose a port (6443) with https. The haproxy should not terminate https, but pass TCP through. The health-check, however, should be http(s) and verify the certificate against a non-public CA.
When in "Real Server -> Edit Server" the checkbox "Verify SSL Certificate" is selected and a the corresponding CA is given at "SSL Verify CA", the
verify required ca-fileclause is not rendered intohaproxy,confunless the checkbox "SSL" is ticked.When the "SSL"-checkbox is ticked, SSL is terminated at the haproxy instance.
Manually inserting the "Option pass-through"
verify required ca-file /etc/ssl/cert.pemrendershaproxy.confcorrectly.To Reproduce
cf. above
Expected behavior
Naively, I would expect "Verify SSL Certificate" to have an effect even when haproxy is meant to pass TCP through, as I monkey-patched into the
haproxy.conf(ab?)using "Options pass-through".In any case, thank you very much for your effort and your concern. Cheers