summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex W <embezzle.dev@proton.me>2024-04-15 18:23:05 +0100
committerAlex W <embezzle.dev@proton.me>2024-04-15 19:22:05 +0100
commitaafe22d08bb38a579dd5075fd27a1b88beeca791 (patch)
tree13c3b82e730e181b89e947a6b7e449b5674578ab
parentf3d45223da40ea615d8b4ea73ec902462e3cebb4 (diff)
downloadvyos-1x-aafe22d08bb38a579dd5075fd27a1b88beeca791.tar.gz
vyos-1x-aafe22d08bb38a579dd5075fd27a1b88beeca791.zip
T6242: load-balancing reverse-proxy: Ability for ssl backends to not verify server certificates
-rw-r--r--data/templates/load-balancing/haproxy.cfg.j22
-rw-r--r--interface-definitions/load-balancing_reverse-proxy.xml.in6
-rwxr-xr-xsmoketest/scripts/cli/test_load-balancing_reverse-proxy.py18
-rwxr-xr-xsrc/conf_mode/load-balancing_reverse-proxy.py4
4 files changed, 29 insertions, 1 deletions
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 849cef74d..feb10d247 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -150,7 +150,7 @@ backend {{ back }}
{% endfor %}
{% endif %}
{% if back_config.server is vyos_defined %}
-{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
+{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else ('ssl verify none' if back_config.ssl.no_verify is vyos_defined else '') %}
{% for server, server_config in back_config.server.items() %}
server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
{% endfor %}
diff --git a/interface-definitions/load-balancing_reverse-proxy.xml.in b/interface-definitions/load-balancing_reverse-proxy.xml.in
index 2c2742dff..49d1d858e 100644
--- a/interface-definitions/load-balancing_reverse-proxy.xml.in
+++ b/interface-definitions/load-balancing_reverse-proxy.xml.in
@@ -157,6 +157,12 @@
</properties>
<children>
#include <include/pki/ca-certificate.xml.i>
+ <leafNode name="no-verify">
+ <properties>
+ <help>Do not attempt to verify SSL certificates for backend servers</help>
+ <valueless/>
+ </properties>
+ </leafNode>
</children>
</node>
#include <include/haproxy/timeout.xml.i>
diff --git a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py
index 97304da8b..d21fc762b 100755
--- a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py
+++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py
@@ -280,6 +280,24 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['backend', 'bk-01', 'ssl', 'ca-certificate', 'smoketest'])
self.cli_commit()
+ def test_04_lb_reverse_proxy_backend_ssl_no_verify(self):
+ # Setup base
+ self.configure_pki()
+ self.base_config()
+
+ # Set no-verify option
+ self.cli_set(base_path + ['backend', 'bk-01', 'ssl', 'no-verify'])
+ self.cli_commit()
+
+ # Test no-verify option
+ config = read_file(HAPROXY_CONF)
+ self.assertIn('server bk-01 192.0.2.11:9090 send-proxy ssl verify none', config)
+
+ # Test setting ca-certificate alongside no-verify option fails, to test config validation
+ self.cli_set(base_path + ['backend', 'bk-01', 'ssl', 'ca-certificate', 'smoketest'])
+ with self.assertRaises(ConfigSessionError) as e:
+ self.cli_commit()
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index 694a4e1ea..9f895c4e2 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -84,6 +84,10 @@ def verify(lb):
if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf):
raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"')
+ if 'ssl' in back_config:
+ if {'no_verify', 'ca_certificate'} <= set(back_config['ssl']):
+ raise ConfigError(f'backend {back} cannot have both ssl options no-verify and ca-certificate set!')
+
for front, front_config in lb['service'].items():
for cert in dict_search('ssl.certificate', front_config) or []:
verify_pki_certificate(lb, cert)