Page MenuHomeVyOS Platform
Create Task
Maniphest T5798

reverse-proxy load-balancing service should support multiple certificates for frontend
Closed, ResolvedPublicENHANCEMENT
Actions

Description

The frontend service config for haproxy currently is limited to a single certificate in a single file, however haproxy supports multiple certificates which enables reverse-proxy for more than one domain certificate.

In my current use-case, cloudflare generates a different origin certificate for each domain, and there is no way to combine these.

Relevant reverse-proxy load-balancing configuration:

service https_app_k3s-1 {
    backend https_app_k3s-1
    listen-address ::
    listen-address 0.0.0.0
    mode http
    port 443
    ssl {
        certificate cloudflare-origin_domain_a
    }
}

Relevant generated haproxy.cfg section

frontend https_app_k3s-1
    bind [::]:443 ssl crt /run/haproxy/cloudflare-origin_domain_a.pem
    bind 0.0.0.0:443 ssl crt /run/haproxy/cloudflare-origin_domain_a.pem
    mode http
    default_backend https_app_k3s-1

Example manually tweaked haproxy.cfg to enable multiple domains (verified as working)

frontend https_app_k3s-1
    bind [::]:443 ssl crt /run/haproxy/cloudflare-origin_domain_a.pem crt /run/haproxy/cloudflare-origin_domain_b.pem
    bind 0.0.0.0:443 ssl crt /run/haproxy/cloudflare-origin_domain_a.pem crt /run/haproxy/cloudflare-origin_domain_b.pem
    mode http
    default_backend https_app_k3s-1

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Improvement (missing useful functionality)

Event Timeline

jamcole created this task.Dec 4 2023, 3:46 AM
pasik added a subscriber: pasik.Dec 4 2023, 8:08 AM
naterator added a subscriber: naterator.Dec 7 2023, 6:09 PM
Viacheslav claimed this task.Dec 8 2023, 2:21 PM
Viacheslav added a subscriber: Viacheslav.

PR https://github.com/vyos/vyos-1x/pull/2590

set load-balancing reverse-proxy service web mode http
set load-balancing reverse-proxy service web port 443
set load-balancing reverse-proxy service web ssl certificate cert 
set load-balancing reverse-proxy service web ssl certificate client1 
set load-balancing reverse-proxy backend bk01 server srv01 address 192.0.2.1
set load-balancing reverse-proxy backend bk01 server srv01 port 9898

Check:

vyos@r4# cat /run/haproxy/haproxy.cfg | grep Front -A 3
# Frontend
frontend web
    bind :::443 v4v6 ssl crt /run/haproxy/cert.pem crt /run/haproxy/client1.pem
    mode http
[edit]
Viacheslav added a project: VyOS 1.4 Sagitta.Dec 14 2023, 4:28 PM

@jamcole It will be available in the next rolling release.
Could you re-check it after 2023-12-14?

Viacheslav changed the task status from Open to Needs testing.Dec 14 2023, 4:28 PM
jamcole added a comment.Dec 19 2023, 11:21 PM

@Viacheslav I upgraded to the latest rolling release and this seems to work perfectly.

Thanks for the quick turnaround!

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.Dec 20 2023, 1:09 AM
Viacheslav closed this task as Resolved.Dec 20 2023, 9:40 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.