Add verifyhost parameter to balancermember resource #268
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JAORMX
force-pushed
the
haproxy-verifyhost
branch
2 times, most recently
from
6c72af3
to
27099de
Compare
The verifyhost parameter from haproxy [1] will attempt to match the server's certificate CN or SubjectAltName, and will fail if there is no match. In the balancermember resource, it was added as a boolean, since it's somewhat difficult to add the parameter to the options list, since each hostname in the verifyhost will be different for each of the servers in the server_names list. So, to address this, we now can specify a boolean, and if it's set to true, it will use the host of the specific server line and use it for the verifyhost option. Note that this configuration only works if we are using HAProxy with OpenSSL, and if we set up the 'ssl' and 'verify required' options in the options of the servers. [1] https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-verifyhost
JAORMX
force-pushed
the
haproxy-verifyhost
branch
from
27099de
to
2030a99
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The verifyhost parameter from haproxy [1] will attempt to match
the server's certificate CN or SubjectAltName, and will fail if
there is no match.
In the balancermember resource, it was added as a boolean, since it's
somewhat difficult to add the parameter to the options list, since
each hostname in the verifyhost will be different for each of the
servers in the server_names list. So, to address this, we now can
specify a boolean, and if it's set to true, it will use the host of
the specific server line and use it for the verifyhost option.
Note that this configuration only works if we are using HAProxy with
OpenSSL, and if we set up the 'ssl' and 'verify required' options in
the options of the servers.
[1] https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-verifyhost