Hi Aleks

> Le 1 févr. 2018 à 23:34, Aleksandar Lazic <al-hapr...@none.at> a écrit :
> 
> Hi.
> 
> ------ Originalnachricht ------
> Von: "Emmanuel Hocdet" <m...@gandi.net>
> An: "haproxy" <haproxy@formilux.org>
> Gesendet: 01.02.2018 17:54:46
> Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
> 
>> Hi,
>> 
>> It’s patch introduce proxy-v2-options for send-proxy-v2.
>> Goal is to add more options from  doc/proxy-protocol.txt, especially
>> all TLS informations related to security.
> Can then this function replace the current one `send-proxy-v2-ssl-cn` && 
> `send-proxy-v2-ssl`

yes and no,  you must add send-proxy-v2 to activate proxy-v2

> Let's say when the option is 'ssl-cn' then add all three flags as in the 
> current `srv_parse_send_proxy_cn` function?
> 
> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796
> 
> We offer with this suggested solution a backward compatibility and the new 
> function is in use.
> 

you must used  "send-proxy-v2 proxy-v2-options ssl »     for current 
send-proxy-v2-ssl
you must used  "send-proxy-v2 proxy-v2-options cert-cn »   for current 
send-proxy-v2-ssl-cn

next options should be  authority,cert-key,cert-sig,ssl-cipher

> Maybe in the next step there could be a 'tlv' option which can decode custom 
> tlv's ?
> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606
> 
> Just some brainstorming ;-)
> 
> What do you mean?
> 

Haproxy is naturally a producer for ‘tlv’ options (for sure when related to 
ssl). I don’t know how ‘tlv’ options (other than netns)
could be really useful to consume,  passthru coud be more useful.

++
Manu





Reply via email to