Hi Marshall,
Le 07/03/2016 16:56, Marshall, Owen (GE Appliances) a écrit :
Hi there,
I'm seeing some odd behavior with HAProxy 1.6.3 and the ordering of ssl &
verify in my configuration file. I'm not sure if this is truly a bug or a
misunderstanding on my part.
We are attempting to set up HAProxy to load balance SSL-enabled servers, but aren't
currently concerned with CA verification. The HAProxy config file is currently being
auto-generated by interlock(https://github.com/ehazlett/interlock), a tool that marries
Docker Swarm & HAProxy quite nicely. But I've verified the problem exists with
self-built config files & a stock HAProxy 1.6.3 as well.
In the following backend configuration section:
backend cloud_dev
http-response add-header X-Request-Start %Ts.%ms
balance roundrobin
server dev1 3.101.113.47:32777 check inter 5000 ssl sni req.hdr(Host)
verify none
I receive the following error output:
[ALERT] 062/205826 (31) : Proxy 'cloud_dev', server 'dev1' [proxy.conf:40]
verify is enabled by default but no CA file specified. If you're running on a
LAN where you're certain to trust the server's certificate, please set an
explicit 'verify none' statement on the 'server' line, or use
'ssl-server-verify none' in the global section to disable server-side
verifications by default.
[WARNING] 062/205826 (31) : Setting tune.ssl.default-dh-param to 1024 by default,
if your workload permits it you should set it to at least 2048. Please set a value
>= 1024 to make this warning disappear.
[ALERT] 062/205826 (31) : Fatal errors found in configuration.
If I adjust the configuration section to place "verify none" immediately after
the ssl statement:
backend cloud_dev
http-response add-header X-Request-Start %Ts.%ms
balance roundrobin
server dev1 3.101.113.47:32777 check inter 5000 ssl verify none sni
req.hdr(Host)
things work as expected.
It appears that the ordering of the ssl & verify options is important - but my
reading of the docs indicates that this shouldn't be the case:
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#ssl%20(Server%20and%20default-server%20options)
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#sni
I'm going to send a pull request to interlock to adjust the generated server
configs, but wanted to check first to see if there is an underlying bug with
the way HAProxy handles the configuration files that needed to be reported as
well.
See inline for a minimal configuration file that exhibits the bug - just move
"verify none" to the end to see it work as expected.
Thanks for the details, it helped me to reproduce the bug. It looks to
happen only with the "sni" keyword, where 2 parts in the code try to
increment the argument index during the server line parsing.
I'm working on a patch.
--
Cyril Bonté
