diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-05 17:20:44 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-05 19:50:20 +0200 |
| commit | f40cf6064a02fbb6baae924e94b9183d6bd87474 (patch) | |
| tree | d1afdf3793a7b17cab879f595f9e37c387bf3153 /data | |
| parent | 59d86826a2ffb2df6a0ce603c879e541a4fe88ba (diff) | |
| download | vyos-1x-f40cf6064a02fbb6baae924e94b9183d6bd87474.tar.gz vyos-1x-f40cf6064a02fbb6baae924e94b9183d6bd87474.zip | |
pki: T7122: when ACME listen-address is used - check if port is available
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index 7a6b86c10..62934c612 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -50,6 +50,10 @@ defaults errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http +# Default ACME backend +backend buildin_acme_certbot + server localhost 127.0.0.1:{{ get_default_port('certbot_haproxy') }} + # Frontend {% if service is vyos_defined %} {% for front, front_config in service.items() %} @@ -65,11 +69,8 @@ frontend {{ front }}-http bind [::]:80 v4v6 {% endif %} acl acme_acl path_beg /.well-known/acme-challenge/ - use_backend {{ certbot_backend_name }} if acme_acl + use_backend buildin_acme_certbot if acme_acl redirect scheme https code 301 if !acme_acl - -backend {{ certbot_backend_name }} - server acme_{{ front }} 127.0.0.1:{{ get_default_port('certbot_haproxy') }} {% endif %} frontend {{ front }} |