diff options
| author | Daniil Baturin <daniil@vyos.io> | 2025-05-06 15:18:45 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-05-06 15:18:45 +0100 |
| commit | a0805e37e1f3935cb1cb016082797b4e664bb920 (patch) | |
| tree | 04596a066353084bc8920cf6a1e99a5bf830698a /data | |
| parent | 1142072141a73596fc8aa0822e8893274632f202 (diff) | |
| parent | f40cf6064a02fbb6baae924e94b9183d6bd87474 (diff) | |
| download | vyos-1x-a0805e37e1f3935cb1cb016082797b4e664bb920.tar.gz vyos-1x-a0805e37e1f3935cb1cb016082797b4e664bb920.zip | |
Merge pull request #4480 from c-po/T7122-pki
T7122: pki: unable to switch from custom cert to ACME when HAProxy service is running with 'redirect-http-to-https' option
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 70ea5d2b0..62934c612 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -50,9 +50,29 @@ defaults errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http +# Default ACME backend +backend buildin_acme_certbot + server localhost 127.0.0.1:{{ get_default_port('certbot_haproxy') }} + # Frontend {% if service is vyos_defined %} {% for front, front_config in service.items() %} +{% if front_config.redirect_http_to_https is vyos_defined %} +{% set certbot_backend_name = 'certbot_' ~ front ~ '_backend' %} +frontend {{ front }}-http + mode http +{% if front_config.listen_address is vyos_defined %} +{% for address in front_config.listen_address %} + bind {{ address | bracketize_ipv6 }}:80 +{% endfor %} +{% else %} + bind [::]:80 v4v6 +{% endif %} + acl acme_acl path_beg /.well-known/acme-challenge/ + use_backend buildin_acme_certbot if acme_acl + redirect scheme https code 301 if !acme_acl +{% endif %} + frontend {{ front }} {% set ssl_front = [] %} {% if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %} @@ -68,9 +88,6 @@ frontend {{ front }} {% else %} bind [::]:{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }} {% endif %} -{% if front_config.redirect_http_to_https is vyos_defined %} - http-request redirect scheme https unless { ssl_fc } -{% endif %} {% if front_config.logging is vyos_defined %} {% for facility, facility_config in front_config.logging.facility.items() %} log /dev/log {{ facility }} {{ facility_config.level }} @@ -237,6 +254,5 @@ backend {{ back }} {% if back_config.timeout.server is vyos_defined %} timeout server {{ back_config.timeout.server }}s {% endif %} - {% endfor %} {% endif %} |