haproxy: T7122: always reverse-proxy ACL for certbot - vyos-1x.git - VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)

diff options

author	Christian Breunig <christian@breunig.cc>	2025-05-04 11:35:33 +0200
committer	Christian Breunig <christian@breunig.cc>	2025-05-04 23:38:29 +0200
commit	59957ad694043f41a7b1e9ee740b19c87f297867 (patch)
tree	bf53840d5fb5636c463ef8df9f8bd4e40d0778ac /src/migration-scripts/reverse-proxy
parent	aff2835d7b6226e4b89f51e3f6133da26f3a07bf (diff)
download	vyos-1x-59957ad694043f41a7b1e9ee740b19c87f297867.tar.gz vyos-1x-59957ad694043f41a7b1e9ee740b19c87f297867.zip

haproxy: T7122: always reverse-proxy ACL for certbot

Always enable the ACL entry to reverse-proxy requests to the path "/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for a given HAProxy frontend service. This is an intentional design decision to simplify the implementation and reduce overall code complexity. It poses no risk: a missing path returns a 404, and an unavailable backend yields an error 503. This approach avoids a chicken-and-egg problem where certbot might try to request a certificate via reverse-proxy before the proxy config is actually generated and active. By always routing through HAProxy, we also eliminate downtime as port 80 does not need to be freed for certbot's standalone mode.

Diffstat (limited to 'src/migration-scripts/reverse-proxy')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: