>>> On Mon, Jan 27, 2014 at 10:24:35PM +0100, Baptiste wrote: >>> > Hi, >>> > >>> > You can't do this from HAProxy's configuration file. The passphrase is >>> > requested by your OpenSSL library. >>> > If there is a passphrase on your private key, there is a good reason: >>> > keep it secret. >>> > Maybe hacking HAProxy start script with 'expect' could do the trick, >>> > but I'm not sure. >>> >>> By the way we've been discussing this point for some time with Emeric. >>> It seems that a clean solution would consist in having a "password >>> server" >>> consisting in an external process that haproxy would request upon >>> startup. >>> This would allow us to use whatever mechanisms are available to feed >>> haproxy with the needed passwords, without having to type it upon every >>> reload and without leaving it in clear in any config. You would for >>> example log into the system at boot, start the agent and type your >>> password, then it would not be needed anymore. A bit like ssh-agent in >>> fact. We need to think about some protections though, probably just at >>> the socket level. Another difficulty would be to verify that the correct >>> password was fed the first time. Maybe storing a short hash would work, >>> this is still something to think about. >>> >>> Any ideas on the subject are welcome, of course! >>> >>> Willy >>> >> >
An old trick that should still work would be to provide a path to an executable that haproxy spawns and uses the output of to provide the keystore password. The executable can be anything even a simple (SUID) shell script that reads a password from the file system: simple but often enough to keep passwords out of configuration files. Since haproxy may need to ask for several (many?) different keys an argument about the password requested is probably needed unless some naming convention is used. -Bryan
