Page MenuHomeVyOS Platform
Create Task
Maniphest T5798

reverse-proxy load-balancing service should support multiple certificates for frontend
Closed, ResolvedPublicENHANCEMENT
Actions

Description

The frontend service config for haproxy currently is limited to a single certificate in a single file, however haproxy supports multiple certificates which enables reverse-proxy for more than one domain certificate.

In my current use-case, cloudflare generates a different origin certificate for each domain, and there is no way to combine these.

Relevant reverse-proxy load-balancing configuration:

service https_app_k3s-1 {
    backend https_app_k3s-1
    listen-address ::
    listen-address 0.0.0.0
    mode http
    port 443
    ssl {
        certificate cloudflare-origin_domain_a
    }
}

Relevant generated haproxy.cfg section

frontend https_app_k3s-1
    bind [::]:443 ssl crt /run/haproxy/cloudflare-origin_domain_a.pem
    bind 0.0.0.0:443 ssl crt /run/haproxy/cloudflare-origin_domain_a.pem
    mode http
    default_backend https_app_k3s-1

Example manually tweaked haproxy.cfg to enable multiple domains (verified as working)

frontend https_app_k3s-1
    bind [::]:443 ssl crt /run/haproxy/cloudflare-origin_domain_a.pem crt /run/haproxy/cloudflare-origin_domain_b.pem
    bind 0.0.0.0:443 ssl crt /run/haproxy/cloudflare-origin_domain_a.pem crt /run/haproxy/cloudflare-origin_domain_b.pem
    mode http
    default_backend https_app_k3s-1

Details

Version
-
Is it a breaking change?
Config syntax change (migratable)

Related Objects

Event Timeline

jamcole created this task.Dec 4 2023, 3:46 AM
pasik subscribed.Dec 4 2023, 8:08 AM
naterator subscribed.Dec 7 2023, 6:09 PM
Viacheslav claimed this task.Dec 8 2023, 2:21 PM
Viacheslav subscribed.

PR https://github.com/vyos/vyos-1x/pull/2590

set load-balancing reverse-proxy service web mode http
set load-balancing reverse-proxy service web port 443
set load-balancing reverse-proxy service web ssl certificate cert 
set load-balancing reverse-proxy service web ssl certificate client1 
set load-balancing reverse-proxy backend bk01 server srv01 address 192.0.2.1
set load-balancing reverse-proxy backend bk01 server srv01 port 9898

Check:

vyos@r4# cat /run/haproxy/haproxy.cfg | grep Front -A 3
# Frontend
frontend web
    bind :::443 v4v6 ssl crt /run/haproxy/cert.pem crt /run/haproxy/client1.pem
    mode http
[edit]
Restricted Repository Identity mentioned this in rVYOSONEX9f72aff65e05: Merge pull request #2590 from sever-sever/T5798.Dec 14 2023, 4:24 PM
Viacheslav mentioned this in rVYOSONEXfe99c45e05fd: T5798: load-balancing revese-proxy add multiple SSL certificates.Dec 14 2023, 4:24 PM
Viacheslav added a project: VyOS 1.4 Sagitta.Dec 14 2023, 4:28 PM

@jamcole It will be available in the next rolling release.
Could you re-check it after 2023-12-14?

Viacheslav changed the task status from Open to Needs testing.Dec 14 2023, 4:28 PM
jamcole added a comment.Dec 19 2023, 11:21 PM

@Viacheslav I upgraded to the latest rolling release and this seems to work perfectly.

Thanks for the quick turnaround!

Restricted Repository Identity mentioned this in rVYOSONEXa3e059e7e8d3: T5798: load-balancing revese-proxy add multiple SSL certificates.Dec 20 2023, 1:07 AM
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus board.Dec 20 2023, 1:09 AM
Restricted Repository Identity mentioned this in rVYOSONEX316a930b8c54: Merge pull request #2660 from vyos/mergify/bp/sagitta/pr-2590.Dec 20 2023, 6:42 AM
Viacheslav closed this task as Resolved.Dec 20 2023, 9:40 AM
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.