On Mon, Jan 27, 2014 at 10:24:35PM +0100, Baptiste wrote: > Hi, > > You can't do this from HAProxy's configuration file. The passphrase is > requested by your OpenSSL library. > If there is a passphrase on your private key, there is a good reason: > keep it secret. > Maybe hacking HAProxy start script with 'expect' could do the trick, > but I'm not sure.
By the way we've been discussing this point for some time with Emeric. It seems that a clean solution would consist in having a "password server" consisting in an external process that haproxy would request upon startup. This would allow us to use whatever mechanisms are available to feed haproxy with the needed passwords, without having to type it upon every reload and without leaving it in clear in any config. You would for example log into the system at boot, start the agent and type your password, then it would not be needed anymore. A bit like ssh-agent in fact. We need to think about some protections though, probably just at the socket level. Another difficulty would be to verify that the correct password was fed the first time. Maybe storing a short hash would work, this is still something to think about. Any ideas on the subject are welcome, of course! Willy
