Closed epackorigan closed 6 years ago
Instructions for setting up a server so this can be validated would be appreciated.
Find below a config for HA Proxy to do the SSL termination+auth as a frontend to the sal server.
haproxy.cfg: `global log 127.0.0.1 local0 notice maxconn 2000 user haproxy group haproxy
defaults log global mode http option httplog option dontlognull retries 3 option redispatch timeout connect 5000 timeout client 10000 timeout server 10000
frontend https-sal-scripts bind *:443 ssl crt [crt_chain.pem] ca-file [cafile.pem] verify required mode tcp default_backend sal-nodes
backend sal-nodes mode tcp balance roundrobin server [beserver] [192.168.10.11] check ssl verify required ca-file [/etc/haproxy/myca.pem] `
replace the item in []
items as needed:
I do not have time to test this. If you can provision a pre-built docker image so this can be tested, I may be happy to merge this. At the moment with no simple way to test, I cannot merge this.
Fair enough - I'm new to docker, so this may take a while.
As this doesn’t break any existing functionality I’m going to merge this. Hopefully more people using it will help surface any issues.
Can you please document the use of this in the main Sal wiki?
Documentation updated. Let me know if it needs further clarification.
New options
SSLClientCertificate
andSSLClientKey
to allow curl to do mutual TLS connection to the server./path/to/file.p12:password
See man page for curl, specifically,
--key
,--cert
,--key-type
,--cert-type
.This is, as of yet, untested...