Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates #3315

Merged
merged 1 commit into from Apr 16, 2024
Merged

T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates #3315

merged 1 commit into from Apr 16, 2024

Conversation

Embezzle
Copy link
Contributor

Change Summary

Add the ability for the VyOS reverse-proxy to connect via SSL to backends without verifying the certificate of the backend server. Can be used for connecting to backend members which have self-signed certificates .

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T6242

Related PR(s)

Component(s) name

load-balancing -> reverse-proxy

Proposed changes

How to test

  1. Create a reverse-proxy configuration using the new option:
set load-balancing reverse-proxy backend bk-01 mode 'http'
set load-balancing reverse-proxy backend bk-01 server srv-01 address '192.0.2.12'
set load-balancing reverse-proxy backend bk-01 server srv-01 port '443'
set load-balancing reverse-proxy backend bk-01 ssl no-verify
set load-balancing reverse-proxy service fe-01 backend 'bk-01'
set load-balancing reverse-proxy service fe-01 listen-address '192.0.2.11'
set load-balancing reverse-proxy service fe-01 mode 'http'
set load-balancing reverse-proxy service fe-01 port '80'
  1. Check the HAProxy backend server configuration is showing the correct options:
vyos@vyos:~$ cat /var/run/haproxy/haproxy.cfg | grep "verify none"
    server srv-01 192.0.2.12:443 ssl verify none

Smoketest result

vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_load-balancing_reverse-proxy.py
test_01_lb_reverse_proxy_domain (__main__.TestLoadBalancingReverseProxy.test_01_lb_reverse_proxy_domain) ... ok
test_02_lb_reverse_proxy_cert_not_exists (__main__.TestLoadBalancingReverseProxy.test_02_lb_reverse_proxy_cert_not_exists) ...
PKI does not contain any certificates!


Certificate "cert" not found in configuration!

ok
test_03_lb_reverse_proxy_ca_not_exists (__main__.TestLoadBalancingReverseProxy.test_03_lb_reverse_proxy_ca_not_exists) ... ok
test_04_lb_reverse_proxy_backend_ssl_no_verify (__main__.TestLoadBalancingReverseProxy.test_04_lb_reverse_proxy_backend_ssl_no_verify) ... ok

----------------------------------------------------------------------
Ran 4 tests in 17.725s

OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team April 15, 2024 18:52
@dmbaturin dmbaturin merged commit c0eec36 into vyos:current Apr 16, 2024
5 checks passed
@dmbaturin
Copy link
Member

@Mergifyio backport sagitta

@mergify Mergify
Copy link

mergify bot commented Apr 16, 2024
edited

backport sagitta

✅ Backports have been created

@mergify mergify bot mentioned this pull request Apr 16, 2024
Merged
12 tasks
@Embezzle Embezzle deleted the T6242 branch April 16, 2024 15:14
@Embezzle Embezzle mentioned this pull request Apr 16, 2024
Merged
1 task
c-po added a commit that referenced this pull request Apr 16, 2024
@c-po
Merge pull request #3318 from vyos/mergify/bp/sagitta/pr-3315
8f778f9 
T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates (backport #3315)
@mergify mergify bot mentioned this pull request Apr 16, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sever-sever sever-sever sever-sever approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po is a code owner automatically assigned from vyos/reviewers

Assignees

@Embezzle Embezzle

Labels
current
Milestone
No milestone
3 participants
@Embezzle @dmbaturin @sever-sever