search

docker-archive / dockercloud-haproxy

HAproxy image that autoreconfigures itself when used in Docker Cloud
https://cloud.docker.com/
651 stars 187 forks source link

load DEFAULT_SSL_CERT / SSL_CERT from secrets file rather than environment #195

Closed abuisine closed 6 years ago

abuisine commented 7 years ago

I may be wrong, but it seems to me that there is no option to precise a /run/secrets file as the main cert, and that we are forced to use environment variables with '\n' as new lines. Do you plan to add such a feature ?

tifayuki commented 7 years ago

@abuisine Good call. DEFAULT_SSL_CERT is a good example to use secret I think. What you can do currently is to use CERT_FOLDER pointing to the secret folder and use the file name as cert.pem.

I am currently working on rewrite all the environment variables with better descriptions and examples here. After that, I will try to see if we can also support them using labels and secret, etc.

markvr commented 7 years ago

The haproxy docs say:

If a directory name is used instead of a PEM file, then all files found in that directory will be loaded in alphabetic order unless their name ends with '.issuer', '.ocsp' or '.sctl' (reserved extensions). This directive may be specified multiple times in order to load certificates from multiple files or directories. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of their CN or alt subjects. Wildcards are supported, where a wildcard character '' is used instead of the first hostname component (eg: .example.org matches www.example.org but not www.sub.example.org).

If no SNI is provided by the client or if the SSL library does not support TLS extensions, or if the client provides an SNI hostname which does not match any certificate, then the first loaded certificate will be presented. This means that when loading certificates from a directory, it is highly recommended to load the default one first as a file or to ensure that it will always be the first one in the directory.

I'm don't know what "it is highly recommended to load the default one first as a file" means. It's possible that they mean the highest alphabetically, but it's not entirely clear if that is correct.

tifayuki commented 7 years ago

@markvr As I remembered, the cert files is loaded in alphabet order. And this is the reason we always named the default SSL cert to cert0.pem and the rest certs from cert1.pem, etc.