diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-04 11:35:33 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-04 23:38:29 +0200 |
| commit | 59957ad694043f41a7b1e9ee740b19c87f297867 (patch) | |
| tree | bf53840d5fb5636c463ef8df9f8bd4e40d0778ac /data | |
| parent | aff2835d7b6226e4b89f51e3f6133da26f3a07bf (diff) | |
| download | vyos-1x-59957ad694043f41a7b1e9ee740b19c87f297867.tar.gz vyos-1x-59957ad694043f41a7b1e9ee740b19c87f297867.zip | |
haproxy: T7122: always reverse-proxy ACL for certbot
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.
This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.
This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.
By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 13 |
1 files changed, 4 insertions, 9 deletions
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 400936474..7a6b86c10 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -53,8 +53,8 @@ defaults # Frontend {% if service is vyos_defined %} {% for front, front_config in service.items() %} - {% if front_config.redirect_http_to_https is vyos_defined %} +{% set certbot_backend_name = 'certbot_' ~ front ~ '_backend' %} frontend {{ front }}-http mode http {% if front_config.listen_address is vyos_defined %} @@ -64,19 +64,14 @@ frontend {{ front }}-http {% else %} bind [::]:80 v4v6 {% endif %} -{% if front_config.ssl.acme_certificate is vyos_defined %} acl acme_acl path_beg /.well-known/acme-challenge/ - use_backend certbot_{{ front }}_backend if acme_acl -{% endif %} + use_backend {{ certbot_backend_name }} if acme_acl redirect scheme https code 301 if !acme_acl -{% endif %} -{% if front_config.ssl.acme_certificate is vyos_defined %} -backend certbot_{{ front }}_backend - server fe_{{ front }}_acme 127.0.0.1:65080 +backend {{ certbot_backend_name }} + server acme_{{ front }} 127.0.0.1:{{ get_default_port('certbot_haproxy') }} {% endif %} - frontend {{ front }} {% set ssl_front = [] %} {% if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %} |