From d575ce3cc2163eaa851e1909ad74e96a7f00c208 Mon Sep 17 00:00:00 2001 From: Alex W Date: Sun, 26 May 2024 21:50:01 +0100 Subject: reverse-proxy: T6402: Fix invalid checks in validation script (cherry picked from commit d4d70929a81b2ee1f66a9412a3545911b3874a62) --- src/conf_mode/load-balancing_reverse-proxy.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py index a4efb1cd8..b6db110ae 100755 --- a/src/conf_mode/load-balancing_reverse-proxy.py +++ b/src/conf_mode/load-balancing_reverse-proxy.py @@ -88,22 +88,22 @@ def verify(lb): if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf): raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"') + if 'ssl' in back_config: + if {'no_verify', 'ca_certificate'} <= set(back_config['ssl']): + raise ConfigError(f'backend {back} cannot have both ssl options no-verify and ca-certificate set!') + # Check if http-response-headers are configured in any frontend/backend where mode != http for group in ['service', 'backend']: for config_name, config in lb[group].items(): if 'http_response_headers' in config and ('mode' not in config or config['mode'] != 'http'): raise ConfigError(f'{group} {config_name} must be set to http mode to use http_response_headers!') - if 'ssl' in back_config: - if {'no_verify', 'ca_certificate'} <= set(back_config['ssl']): - raise ConfigError(f'backend {back} cannot have both ssl options no-verify and ca-certificate set!') - for front, front_config in lb['service'].items(): for cert in dict_search('ssl.certificate', front_config) or []: verify_pki_certificate(lb, cert) for back, back_config in lb['backend'].items(): - tmp = dict_search('ssl.ca_certificate', front_config) + tmp = dict_search('ssl.ca_certificate', back_config) if tmp: verify_pki_ca_certificate(lb, tmp) -- cgit v1.2.3