Hi we use here a generator for haproxy configs and this one generates amongst
all https frontend using SNI to redirect to endspoints.
Basically, we host lot of VMS and the host is NATing/redirecting every served
domain to the underlying VM and when we use https.
In other words, it terminates SSL on the haproxy front and we are using a
certicate per VM.
Technically, this was as simple as adding a crt <crt> for each vm...
This setup worked fine and without a glitch for a time, but it's falling on one
host as the generated bind line  seems to be too long:

bind *:443 ssl crt /etc/ssl/cloud/certs/ovh-r5-2.this-company.net.crt crt
/etc/ssl/cloud/certs/prod-appapp1.this-company.net.crt crt
/etc/ssl/cloud/certs/appapp1.this-company.net.crt crt
/etc/ssl/cloud/certs/prod-somethelse.this-company.net.crt crt
/etc/ssl/cloud/certs/someth-else.be.crt crt
/etc/ssl/cloud/certs/someth-else.com.crt crt
/etc/ssl/cloud/certs/someth-else.eu.crt crt
/etc/ssl/cloud/certs/someth-else.fr.crt crt
/etc/ssl/cloud/certs/someth-else.mobi.crt crt
/etc/ssl/cloud/certs/someth-else.net.crt crt
/etc/ssl/cloud/certs/someth-else.org.crt crt
/etc/ssl/cloud/certs/somethelse.be.crt crt
/etc/ssl/cloud/certs/somethelse.com.crt crt
/etc/ssl/cloud/certs/somethelse.eu.crt crt
/etc/ssl/cloud/certs/somethelse.fr.crt crt
/etc/ssl/cloud/certs/somethelse.mobi.crt crt
/etc/ssl/cloud/certs/somethelse.net.crt crt
/etc/ssl/cloud/certs/somethelse.org.crt crt
/etc/ssl/cloud/certs/e-cov.somethelse.net.crt crt
/etc/ssl/cloud/certs/appappapp3.somethelse.net.crt crt
/etc/ssl/cloud/certs/www.someth-else.be.crt crt
/etc/ssl/cloud/certs/www.someth-else.com.crt crt
/etc/ssl/cloud/certs/www.someth-else.eu.crt crt
/etc/ssl/cloud/certs/www.someth-else.fr.crt crt
/etc/ssl/cloud/certs/www.someth-else.mobi.crt crt
/etc/ssl/cloud/certs/www.someth-else.org.crt crt
/etc/ssl/cloud/certs/www.somethelse.be.crt crt
/etc/ssl/cloud/certs/www.somethelse.com.crt crt
/etc/ssl/cloud/certs/www.somethelse.eu.crt crt
/etc/ssl/cloud/certs/www.somethelse.fr.crt crt
/etc/ssl/cloud/certs/www.somethelse.mobi.crt crt
/etc/ssl/cloud/certs/www.somethelse.net.crt crt
/etc/ssl/cloud/certs/www.somethelse.org.crt crt
/etc/ssl/cloud/certs/www2.somethelse.com.crt crt
/etc/ssl/cloud/certs/www2.somethelse.eu.crt crt
/etc/ssl/cloud/certs/www2.somethelse.fr.crt crt
/etc/ssl/cloud/certs/www2.somethelse.net.crt crt
/etc/ssl/cloud/certs/www2.somethelse.org.crt crt
/etc/ssl/cloud/certs/prod-appapp4.this-company.net.crt crt
/etc/ssl/cloud/certs/appapp4.this-company.net.crt

(this line is edited but is as long as the original one)

This is how haproxy complains at restart:

[ALERT] 163/095929 (3094) : parsing
[/etc/haproxy/extra/cloudcontroller.cfg:180]: line too long, truncating at word
65, position 1438:  ...
[ALERT] 163/095929 (3094) : parsing [/etc/haproxy/extra/cloudcontroller.cfg:180]
: 'bind *:443' : 'crt' : missing certificate location
[ALERT] 163/095929 (3094) : Error(s) found in configuration file :
/etc/haproxy/extra/cloudcontroller.cfg


As it first truncates the bind content, it then without surprises fails to load.

Is this affordable just to increase the bind argument size limit, maybe to
something enoughly large that no one can reach this limit ?

-- 
Cordialement,
KiOrKY
GPG Key FingerPrint: 0x1A1194B7681112AF
Pensez à l’environnement. 
N’imprimez ce courriel que si vous en avez vraiment besoin.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to