Thanks for your suggestions Thanks Sukanta
On Tue, Jan 28, 2014 at 12:13 PM, Willy Tarreau <[email protected]> wrote: > On Mon, Jan 27, 2014 at 10:24:35PM +0100, Baptiste wrote: > > Hi, > > > > You can't do this from HAProxy's configuration file. The passphrase is > > requested by your OpenSSL library. > > If there is a passphrase on your private key, there is a good reason: > > keep it secret. > > Maybe hacking HAProxy start script with 'expect' could do the trick, > > but I'm not sure. > > By the way we've been discussing this point for some time with Emeric. > It seems that a clean solution would consist in having a "password server" > consisting in an external process that haproxy would request upon startup. > This would allow us to use whatever mechanisms are available to feed > haproxy with the needed passwords, without having to type it upon every > reload and without leaving it in clear in any config. You would for > example log into the system at boot, start the agent and type your > password, then it would not be needed anymore. A bit like ssh-agent in > fact. We need to think about some protections though, probably just at > the socket level. Another difficulty would be to verify that the correct > password was fed the first time. Maybe storing a short hash would work, > this is still something to think about. > > Any ideas on the subject are welcome, of course! > > Willy > >
