| Age | Commit message (Collapse) | Author |
|---|
|
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
|
|
When both the CLI PKI node for an ACME-issued certificate and HAProxy are
configured during initial setup, the certbot challenge cannot be served via the
reverse proxy because HAProxy has not yet been configured at all.
This commit introduces a special case to handle this bootstrap scenario,
ensuring that the certbot challenge can still be served correctly in standalone
mode on port 80 despite initial config dependencies/priorities between PKI
and HAProxy.
|
|
Some VyOS CLI nodes support defining multiple certificates. The previous check
when removing a certificate from the CLI only performed a string comparison,
which failed in cases where the underlying data was a list (CLI <multi/> node).
This update extends the check to handle both cases:
- If the datum is a string, perform a string comparison.
- If the datum is a list, check whether the target certificate is part of the
list.
This ensures proper removal behavior regardless of the data type used in the
CLI node.
|
|
This will wrap the messages at 72 characters in the same way as Warning() and
DeprecationWarning() would do. We now have simple wrappers for it!
Example:
vyos@vyos# commit
[ pki ]
Updating configuration: "load-balancing haproxy service frontend ssl
certificate LE_cloud"
Add/replace automatically imported CA certificate for "LE_cloud"
|
|
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.
This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.
This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.
By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
|
|
Add a new category if Jinja2 operands. We already have filters and tests, but
sometimes we would like to call a Python function without and data "|" piped
to it - that's what they call a clever-function.
{{ get_default_port(NAME) }} can be used to retrieve the value from
vyos.defaults.internal_ports[NAME] within Jinja2. We no longer need to extend
the dictionary with arbitrary data retrieved from vyos.defaults, we can now
simply register another clever-function to the Jinja2 backend.
|
|
|
|
|
|
Automatically render HaProxy rules to reverse-proxy ACME challanges when the
requested certificate was issued using ACME.
|
|
|
|
If we detect that an ACME issued certificate is consumed by haproxy service,
we will move the certbot webserver to localhost and a highport, to proxy the
request via haproxy which is already using port 80.
|
|
changed_keys had the same content as the values inside the sync_translate
dictionary. Infact they were both used together do defined changed CLI keys.
The list for changed_keys is a list of all unique values inside the
sync_translate dict.
|
|
|
|
If redirect-http-to-https is set we will render a discrete onfiguration in
HAproxy to properly claim port 80 in the system to detect if a service is
alreadey using the port or not.
|
|
Commit 4523e9c897b3 ("wireguard: T3763: Added check for listening port
availability") added a function to check if a port is free to use or already
occupied by a different running service. This has been done by trying to bind a
socket to said given port.
Unfortunately there is no support for IPv6 address-fdamily in both
socketserver.TCPServer or socketserver.UDPServer. This must be done manually by
deriving TCPServer and setting self.address_family for IPv6.
The new implementation gets rid of both TCPServer and UDPServer and replaces it
with a simple socket binding to a given IPv4/IPv6 address or any interface/
address if unspecified.
In addition build time tests are added for the function to check for proper
behavior during build time of vyos-1x.
|
|
smoketest: T7400: fix unbound variable when checking VXLAN remote and group settings
|
|
'NoneType' is not iterable" (#4471)
Co-authored-by: canoziia <canoziia@qq.com>
|
|
settings
FAIL: test_vxlan_group_remote_error (__main__.VXLANInterfaceTest.test_vxlan_group_remote_error)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_vxlan.py", line 139, in test_vxlan_group_remote_error
self.assertIn('Both group and remote cannot be specified', str(exception))
AssertionError: 'Both group and remote cannot be specified' not found in '[[interfaces vxlan vxlan60]] failed\nCommit failed\n'
This happens because cm variable is accessed when no longer valid. Change
behavior to match common smoketest style, check ConfigError exception - but do
not check exception message. Fix the error and commit again.
|
|
firewall: T7358: add offload option to global state policy
|
|
'NoneType' is not iterable"
|
|
bgp: T7220: Add the option to disable enforce-first-as at peer level
|
|
T7282: op-mode: show firewall group filtering and tab completion update
|
|
T7316: Add MTU validation for interfaces with MTU less then 1200
|
|
|
|
advertisements (#4463)
|
|
dhclient: T6253: Respect `no-default-route`
|
|
interface: T4627: not every interface type supports IPv6 interface-identifiers
|
|
Turns out commit b124f0b3b ("interface: T4627: support IPv6 Interface
Identifier (token) for SLAAC") uncovered a wrong assumption in VyOS that every
interface type in use always supports SLAAC and IPv6-ND (neighbor discovery).
This is not true for WireGuard, Tunnel and VTI interfaces, thus do not provide
that CLI option. In addition SLAAC support should be removed for those interface
types in a future PR.
|
|
syslog: T7367: ensure rsyslog is registered as default systemd syslog service
|
|
interface: T7375: cleanup SLAAC assigned address and default route after removing SLAAC CLI configuration
|
|
geoip: T5636: Add geoip for policy route/route6
|
|
interface: T4627: support setting of IPv6 Interface Identifier(Token)
|
|
bridge: T7322: fix slow performance of allowed vlan
|
|
ospf: T7383: Fixed unconfigured redistribution of nhrp into ospf
|
|
|
|
When an interface runs in DHCPv6 only mode, there is no reason to have a
default installed that was received via SLAAC. If SLAAC is needed, it should
be turned on explicitly.
This bug was only triggered during system boot where a DHCPv6 client address
and a default route to a link-local address was shown in the system. If DHCPv6
was enabled only on an interface while VyOS was already running - no default
route got installed.
|
|
|
|
When using SLAAC for IPv6 addresses we will also receive a default route via a
RA (Router Advertisement). When we disable SLAAC on a interface the Linux
Kernel does not automatically flush all addresses nor the routes received.
The Kernel wait's until the addresses/prefixes/routes expire using their
lifestime setting.
When removing SLAAC from an interface, also remove the auto generated IPv6
address and both the default router received and the connected IP prefix of the
SLAAC advertisement.
|
|
We can reference "self.ifname" in any Python f-ormatted string directly. No
need for an interim temporary variable.
|
|
|
|
instead of &&
|
|
|
|
|
|
Fixed unconfigured redistribution of nhrp into ospf.
|
|
|
|
T7334: pr mirror trigger workflow added with label creation permission for default github token
|
|
default github token
|
|
- Added smoketest for offload in global state policy
|
|
Add common IPv6 CLI option (use ethernet as example):
set interfaces ethernet eth0 ipv6 address interface-identifier
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
|
