grahamgilbert
commented
6 years ago Instructions for setting up a server so this can be validated would be appreciated.
Closed epackorigan closed 6 years ago
grahamgilbert
commented
6 years ago Instructions for setting up a server so this can be validated would be appreciated.
epackorigan
commented
6 years ago Find below a config for HA Proxy to do the SSL termination+auth as a frontend to the sal server.
haproxy.cfg: `global log 127.0.0.1 local0 notice maxconn 2000 user haproxy group haproxy
defaults log global mode http option httplog option dontlognull retries 3 option redispatch timeout connect 5000 timeout client 10000 timeout server 10000
frontend https-sal-scripts bind *:443 ssl crt [crt_chain.pem] ca-file [cafile.pem] verify required mode tcp default_backend sal-nodes
backend sal-nodes mode tcp balance roundrobin server [beserver] [192.168.10.11] check ssl verify required ca-file [/etc/haproxy/myca.pem] `
replace the item in [] items as needed:
grahamgilbert
commented
6 years ago I do not have time to test this. If you can provision a pre-built docker image so this can be tested, I may be happy to merge this. At the moment with no simple way to test, I cannot merge this.
epackorigan
commented
6 years ago Fair enough - I'm new to docker, so this may take a while.
grahamgilbert
commented
6 years ago As this doesn’t break any existing functionality I’m going to merge this. Hopefully more people using it will help surface any issues.
grahamgilbert
commented
6 years ago Can you please document the use of this in the main Sal wiki?
epackorigan
commented
6 years ago Documentation updated. Let me know if it needs further clarification.
New options
SSLClientCertificateandSSLClientKeyto allow curl to do mutual TLS connection to the server./path/to/file.p12:passwordSee man page for curl, specifically,
--key,--cert,--key-type,--cert-type.This is, as of yet, untested...