<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/conf_mode/load-balancing_haproxy.py, branch fix/T8955-http-api-verify-tls</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-05-20T15:18:23+00:00</updated>
<entry>
<title>load-balancing: T7928: Fix port conflict check to respect `listen-address` (#5186)</title>
<updated>2026-05-20T15:18:23+00:00</updated>
<author>
<name>Alexandr K.</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-20T15:18:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d8aab03bc85d9a01289bd400dee256ca8647f032'/>
<id>urn:sha1:d8aab03bc85d9a01289bd400dee256ca8647f032</id>
<content type='text'>
The port availability check in `verify()` was using `front_config.get('address')`
which always resolved to `None`, causing the validator to treat any process
holding a given port number as a conflict regardless of which IP it was
bound to.</content>
</entry>
<entry>
<title>config: T8124: make get_config_dict() pki={} node purely optional</title>
<updated>2025-12-26T11:17:11+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-12-26T11:16:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=f2ce2d66537e83b9859d70fea043f82089222104'/>
<id>urn:sha1:f2ce2d66537e83b9859d70fea043f82089222104</id>
<content type='text'>
Automatic parsing and integration of the PKI subsystem into the resulting
config dict is now enabled by passing with_pki=True to get_config_dict().

However, when no PKI configuration is present, the resulting dictionary still
includes an empty PKI key. This is undesirable; we should only include keys in
the dictionary when they contain relevant data.
</content>
</entry>
<entry>
<title>T7591: remove copyright years from source files</title>
<updated>2025-06-28T21:16:52+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-06-28T18:51:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1478516ae437f19ebeb7d6ff9b83dd74f8e76758'/>
<id>urn:sha1:1478516ae437f19ebeb7d6ff9b83dd74f8e76758</id>
<content type='text'>
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.

Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors &lt;maintainers@vyos.io&gt;/g'

In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
</content>
</entry>
<entry>
<title>haproxy: T7122: add ACME/certbot bootstrap support</title>
<updated>2025-05-05T15:22:57+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-04T20:08:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=59d86826a2ffb2df6a0ce603c879e541a4fe88ba'/>
<id>urn:sha1:59d86826a2ffb2df6a0ce603c879e541a4fe88ba</id>
<content type='text'>
When both the CLI PKI node for an ACME-issued certificate and HAProxy are
configured during initial setup, the certbot challenge cannot be served via the
reverse proxy because HAProxy has not yet been configured at all.

This commit introduces a special case to handle this bootstrap scenario,
ensuring that the certbot challenge can still be served correctly in standalone
mode on port 80 despite initial config dependencies/priorities between PKI
and HAProxy.
</content>
</entry>
<entry>
<title>haproxy: T7122: always reverse-proxy ACL for certbot</title>
<updated>2025-05-04T21:38:29+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-04T09:35:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=59957ad694043f41a7b1e9ee740b19c87f297867'/>
<id>urn:sha1:59957ad694043f41a7b1e9ee740b19c87f297867</id>
<content type='text'>
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.

This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.

This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.

By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
</content>
</entry>
<entry>
<title>haproxy: T7122: automatically reverse-proxy to certbot</title>
<updated>2025-04-28T20:10:08+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-04-28T20:08:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=f8b0d74eecabdd16cb0cd6239c8095ed6d2321e3'/>
<id>urn:sha1:f8b0d74eecabdd16cb0cd6239c8095ed6d2321e3</id>
<content type='text'>
Automatically render HaProxy rules to reverse-proxy ACME challanges when the
requested certificate was issued using ACME.
</content>
</entry>
<entry>
<title>haproxy: T7122: do not use f'ormat strings without variable</title>
<updated>2025-04-28T20:10:08+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-04-28T20:08:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=6abf68da33aa71913872730e24396f366c4dc9fa'/>
<id>urn:sha1:6abf68da33aa71913872730e24396f366c4dc9fa</id>
<content type='text'>
</content>
</entry>
<entry>
<title>vyos.utils: T7122: fix IPv6 support in check_port_availability()</title>
<updated>2025-04-28T20:10:08+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-04-22T14:31:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=cbb6c944fea616547cec43f7f1ed6ea3cc4beb54'/>
<id>urn:sha1:cbb6c944fea616547cec43f7f1ed6ea3cc4beb54</id>
<content type='text'>
Commit 4523e9c897b3 ("wireguard: T3763: Added check for listening port
availability") added a function to check if a port is free to use or already
occupied by a different running service. This has been done by trying to bind a
socket to said given port.

Unfortunately there is no support for IPv6 address-fdamily in both
socketserver.TCPServer or socketserver.UDPServer. This must be done manually by
deriving TCPServer and setting self.address_family for IPv6.

The new implementation gets rid of both TCPServer and UDPServer and replaces it
with a simple socket binding to a given IPv4/IPv6 address or any interface/
address if unspecified.

In addition build time tests are added for the function to check for proper
behavior during build time of vyos-1x.
</content>
</entry>
<entry>
<title>haproxy: T7081: Support HTTP compression (#4314)</title>
<updated>2025-01-27T20:57:27+00:00</updated>
<author>
<name>Alex W</name>
<email>embezzle.dev@proton.me</email>
</author>
<published>2025-01-27T20:57:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=85be7579f4e93f9da06b5e8775b5296be953d422'/>
<id>urn:sha1:85be7579f4e93f9da06b5e8775b5296be953d422</id>
<content type='text'>
</content>
</entry>
<entry>
<title>haproxy: T6745: Rename `reverse-proxy` to `haproxy`</title>
<updated>2024-10-09T13:55:15+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2024-10-09T12:55:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=90a4827284acd3cb072cdfeef323c522802c6449'/>
<id>urn:sha1:90a4827284acd3cb072cdfeef323c522802c6449</id>
<content type='text'>
</content>
</entry>
</feed>
