summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2024-04-01 16:30:43 +0200
committerGitHub <noreply@github.com>2024-04-01 16:30:43 +0200
commit5e5bb5a40cbd3fad92f0d88c36f47b9b5fd41347 (patch)
treecd716ec732b434d6bd9f942b23c48919840ccd3b /src
parent9edf1e7c23f13e682bbe4b2ae75ff4be897822ab (diff)
parent3908eaf24f290ebf538fb668e3545a437c0b0b41 (diff)
downloadvyos-1x-5e5bb5a40cbd3fad92f0d88c36f47b9b5fd41347.tar.gz
vyos-1x-5e5bb5a40cbd3fad92f0d88c36f47b9b5fd41347.zip
Merge pull request #3225 from vyos/mergify/bp/sagitta/pr-3222
T6178: Check that certificate exists during reverse-proxy commit (backport #3222)
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/load-balancing_reverse-proxy.py32
1 files changed, 32 insertions, 0 deletions
diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index 7338fe573..2a0acd84a 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -55,6 +55,29 @@ def get_config(config=None):
return lb
+def _verify_cert(lb: dict, config: dict) -> None:
+ if 'ca_certificate' in config['ssl']:
+ ca_name = config['ssl']['ca_certificate']
+ pki_ca = lb['pki'].get('ca')
+ if pki_ca is None:
+ raise ConfigError(f'CA certificates does not exist in PKI')
+ else:
+ ca = pki_ca.get(ca_name)
+ if ca is None:
+ raise ConfigError(f'CA certificate "{ca_name}" does not exist')
+
+ elif 'certificate' in config['ssl']:
+ cert_names = config['ssl']['certificate']
+ pki_certs = lb['pki'].get('certificate')
+ if pki_certs is None:
+ raise ConfigError(f'Certificates does not exist in PKI')
+
+ for cert_name in cert_names:
+ pki_cert = pki_certs.get(cert_name)
+ if pki_cert is None:
+ raise ConfigError(f'Certificate "{cert_name}" does not exist')
+
+
def verify(lb):
if not lb:
return None
@@ -83,6 +106,15 @@ def verify(lb):
if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf):
raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"')
+ for front, front_config in lb['service'].items():
+ if 'ssl' in front_config:
+ _verify_cert(lb, front_config)
+
+ for back, back_config in lb['backend'].items():
+ if 'ssl' in back_config:
+ _verify_cert(lb, back_config)
+
+
def generate(lb):
if not lb:
# Delete /run/haproxy/haproxy.cfg