diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-04-28 22:08:46 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-04-28 22:10:08 +0200 |
| commit | f8b0d74eecabdd16cb0cd6239c8095ed6d2321e3 (patch) | |
| tree | e200a77ba323f8dad89900f3260532c843359c3b /src | |
| parent | 6abf68da33aa71913872730e24396f366c4dc9fa (diff) | |
| download | vyos-1x-f8b0d74eecabdd16cb0cd6239c8095ed6d2321e3.tar.gz vyos-1x-f8b0d74eecabdd16cb0cd6239c8095ed6d2321e3.zip | |
haproxy: T7122: automatically reverse-proxy to certbot
Automatically render HaProxy rules to reverse-proxy ACME challanges when the
requested certificate was issued using ACME.
Diffstat (limited to 'src')
| -rw-r--r-- | src/conf_mode/load-balancing_haproxy.py | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/src/conf_mode/load-balancing_haproxy.py b/src/conf_mode/load-balancing_haproxy.py index 92bf818dc..f176009a0 100644 --- a/src/conf_mode/load-balancing_haproxy.py +++ b/src/conf_mode/load-balancing_haproxy.py @@ -22,6 +22,7 @@ from shutil import rmtree from vyos.config import Config from vyos.configverify import verify_pki_certificate from vyos.configverify import verify_pki_ca_certificate +from vyos.defaults import internal_ports from vyos.utils.dict import dict_search from vyos.utils.process import call from vyos.utils.network import check_port_availability @@ -58,6 +59,14 @@ def get_config(config=None): with_recursive_defaults=True, with_pki=True) + lb['certbot_port'] = internal_ports['certbot_haproxy'] + + if 'service' in lb: + for front, front_config in lb['service'].items(): + for cert in dict_search('ssl.certificate', front_config) or []: + if dict_search(f'pki.certificate.{cert}.acme', lb): + lb['service'][front]['ssl'].update({'acme_certificate': {}}) + return lb def verify(lb): @@ -85,6 +94,9 @@ def verify(lb): raise ConfigError(f'service {front} must have at least one mime-type configured to use' f'http_compression!') + for cert in dict_search('ssl.certificate', front_config) or []: + verify_pki_certificate(lb, cert) + for back, back_config in lb['backend'].items(): if 'http_check' in back_config: http_check = back_config['http_check'] @@ -112,20 +124,15 @@ def verify(lb): if {'no_verify', 'ca_certificate'} <= set(back_config['ssl']): raise ConfigError(f'backend {back} cannot have both ssl options no-verify and ca-certificate set!') + tmp = dict_search('ssl.ca_certificate', back_config) + if tmp: verify_pki_ca_certificate(lb, tmp) + # Check if http-response-headers are configured in any frontend/backend where mode != http for group in ['service', 'backend']: for config_name, config in lb[group].items(): if 'http_response_headers' in config and config['mode'] != 'http': raise ConfigError(f'{group} {config_name} must be set to http mode to use http_response_headers!') - for front, front_config in lb['service'].items(): - for cert in dict_search('ssl.certificate', front_config) or []: - verify_pki_certificate(lb, cert) - - for back, back_config in lb['backend'].items(): - tmp = dict_search('ssl.ca_certificate', back_config) - if tmp: verify_pki_ca_certificate(lb, tmp) - def generate(lb): if not lb: |