Thanks for all your help, I will try, I have one more question that is about the haproxy.conf file , in this file we have written so many backends which are getting called from the frontends. Is there a way that I can seperate out the backends in multiple config files and from my main haproxy.conf file I will call those files. So that the main files looks clean and nice and I will have multiple config files for my each service or backends . If I need to change anything for a service I will change the corresponding config file not the main file.
Please help me out here. Thanks And Regards Sukanta On Tue, Jan 28, 2014 at 4:15 PM, Neil <[email protected]> wrote: > Hello > > Off the top of my head you could tell haproxy that the key is in a secured > directory of say something like /dev/shm > > Then have your own init script that unlocks the private key and puts it > where haproxy expects it (openssl will do that). After haproxy starts it > can be deleted. > It can do it again for restarts. > > Thanks. > > Neil > On 28 Jan 2014 07:12, "Sukanta Saha" <[email protected]> wrote: > >> Thanks for your suggestions >> >> Thanks >> Sukanta >> >> >> On Tue, Jan 28, 2014 at 12:13 PM, Willy Tarreau <[email protected]> wrote: >> >>> On Mon, Jan 27, 2014 at 10:24:35PM +0100, Baptiste wrote: >>> > Hi, >>> > >>> > You can't do this from HAProxy's configuration file. The passphrase is >>> > requested by your OpenSSL library. >>> > If there is a passphrase on your private key, there is a good reason: >>> > keep it secret. >>> > Maybe hacking HAProxy start script with 'expect' could do the trick, >>> > but I'm not sure. >>> >>> By the way we've been discussing this point for some time with Emeric. >>> It seems that a clean solution would consist in having a "password >>> server" >>> consisting in an external process that haproxy would request upon >>> startup. >>> This would allow us to use whatever mechanisms are available to feed >>> haproxy with the needed passwords, without having to type it upon every >>> reload and without leaving it in clear in any config. You would for >>> example log into the system at boot, start the agent and type your >>> password, then it would not be needed anymore. A bit like ssh-agent in >>> fact. We need to think about some protections though, probably just at >>> the socket level. Another difficulty would be to verify that the correct >>> password was fed the first time. Maybe storing a short hash would work, >>> this is still something to think about. >>> >>> Any ideas on the subject are welcome, of course! >>> >>> Willy >>> >>> >>
