summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/load-balancing_reverse-proxy.py32
-rwxr-xr-xsrc/conf_mode/service_dhcp-server.py2
2 files changed, 33 insertions, 1 deletions
diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index 7338fe573..2a0acd84a 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -55,6 +55,29 @@ def get_config(config=None):
return lb
+def _verify_cert(lb: dict, config: dict) -> None:
+ if 'ca_certificate' in config['ssl']:
+ ca_name = config['ssl']['ca_certificate']
+ pki_ca = lb['pki'].get('ca')
+ if pki_ca is None:
+ raise ConfigError(f'CA certificates does not exist in PKI')
+ else:
+ ca = pki_ca.get(ca_name)
+ if ca is None:
+ raise ConfigError(f'CA certificate "{ca_name}" does not exist')
+
+ elif 'certificate' in config['ssl']:
+ cert_names = config['ssl']['certificate']
+ pki_certs = lb['pki'].get('certificate')
+ if pki_certs is None:
+ raise ConfigError(f'Certificates does not exist in PKI')
+
+ for cert_name in cert_names:
+ pki_cert = pki_certs.get(cert_name)
+ if pki_cert is None:
+ raise ConfigError(f'Certificate "{cert_name}" does not exist')
+
+
def verify(lb):
if not lb:
return None
@@ -83,6 +106,15 @@ def verify(lb):
if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf):
raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"')
+ for front, front_config in lb['service'].items():
+ if 'ssl' in front_config:
+ _verify_cert(lb, front_config)
+
+ for back, back_config in lb['backend'].items():
+ if 'ssl' in back_config:
+ _verify_cert(lb, back_config)
+
+
def generate(lb):
if not lb:
# Delete /run/haproxy/haproxy.cfg
diff --git a/src/conf_mode/service_dhcp-server.py b/src/conf_mode/service_dhcp-server.py
index ba3d69b07..bf4454fda 100755
--- a/src/conf_mode/service_dhcp-server.py
+++ b/src/conf_mode/service_dhcp-server.py
@@ -316,7 +316,7 @@ def verify(dhcp):
raise ConfigError(f'Invalid CA certificate specified for DHCP high-availability')
for address in (dict_search('listen_address', dhcp) or []):
- if is_addr_assigned(address):
+ if is_addr_assigned(address, include_vrf=True):
listen_ok = True
# no need to probe further networks, we have one that is valid
continue