Hello Off the top of my head you could tell haproxy that the key is in a secured directory of say something like /dev/shm
Then have your own init script that unlocks the private key and puts it where haproxy expects it (openssl will do that). After haproxy starts it can be deleted. It can do it again for restarts. Thanks. Neil On 28 Jan 2014 07:12, "Sukanta Saha" <[email protected]> wrote: > Thanks for your suggestions > > Thanks > Sukanta > > > On Tue, Jan 28, 2014 at 12:13 PM, Willy Tarreau <[email protected]> wrote: > >> On Mon, Jan 27, 2014 at 10:24:35PM +0100, Baptiste wrote: >> > Hi, >> > >> > You can't do this from HAProxy's configuration file. The passphrase is >> > requested by your OpenSSL library. >> > If there is a passphrase on your private key, there is a good reason: >> > keep it secret. >> > Maybe hacking HAProxy start script with 'expect' could do the trick, >> > but I'm not sure. >> >> By the way we've been discussing this point for some time with Emeric. >> It seems that a clean solution would consist in having a "password server" >> consisting in an external process that haproxy would request upon startup. >> This would allow us to use whatever mechanisms are available to feed >> haproxy with the needed passwords, without having to type it upon every >> reload and without leaving it in clear in any config. You would for >> example log into the system at boot, start the agent and type your >> password, then it would not be needed anymore. A bit like ssh-agent in >> fact. We need to think about some protections though, probably just at >> the socket level. Another difficulty would be to verify that the correct >> password was fed the first time. Maybe storing a short hash would work, >> this is still something to think about. >> >> Any ideas on the subject are welcome, of course! >> >> Willy >> >> >
