Closed StevenLeRoux closed 7 years ago
benwebber
commented
7 years ago I wonder if it would be simpler to accept arbitrary bind parameters:
bind:
'*:443':
- ssl
- crt /path/to/cert.pem
- alpn h2Then simply iterate over them like so:
{%- for bind, options in item.bind.iteritems() -%}
bind {{ bind }} {{ options | join(' ') }}
{%- endfor -%}This would mean we don't need to update the template as frequently.
benwebber
commented
7 years ago Hi Steven,
While your proposed changes are useful and correct, they change the expected role variable contract of versions 1.x.
We are moving on to version 2.x and have the opportunity to address breaking changes now. We will be able to implement this fix, or something like it, in a 2.x release (see #54). For now, I'm closing this PR.
Thanks!
If we set an SSL block with cipher suite, etc... the template will apply it for every single bind configured. This can lead to SSL applied even on bind: *:80 where it's not wanted.
To prevent for ssl to be applied everywhere, we define a new block structure for binds in the frontend/listen configuration area :
binds:
As defined in the example configuration, binds is a list of bind, with a bind.ssl boolean that defines if we want ssl to be applied or not.
The generated haproxy configuration will then be :
frontend f_example bind :80 bind :443 ssl crt /etc/ssl/private/domain.tld.pem ciphers ECDHE-ECDSA-AES256-GCM-SHA384:...