Hi Manu.
------ Originalnachricht ------
Von: "Emmanuel Hocdet" <m...@gandi.net>
An: "Aleksandar Lazic" <al-hapr...@none.at>
Cc: "haproxy" <haproxy@formilux.org>
Gesendet: 05.02.2018 14:58:20
Betreff: Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
Hi Aleks,
Le 2 févr. 2018 à 20:46, Aleksandar Lazic <al-hapr...@none.at> a écrit
:
Hi Manu.
Am 02-02-2018 10:49, schrieb Emmanuel Hocdet:
Hi Aleks
Le 1 févr. 2018 à 23:34, Aleksandar Lazic <al-hapr...@none.at> a
écrit :
Hi.
------ Originalnachricht ------
Von: "Emmanuel Hocdet" <m...@gandi.net>
An: "haproxy" <haproxy@formilux.org>
Gesendet: 01.02.2018 17:54:46
Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
Hi,
It’s patch introduce proxy-v2-options for send-proxy-v2.
Goal is to add more options from doc/proxy-protocol.txt,
especially
all TLS informations related to security.
Can then this function replace the current one
`send-proxy-v2-ssl-cn` && `send-proxy-v2-ssl`
yes and no, you must add send-proxy-v2 to activate proxy-v2
Let's say when the option is 'ssl-cn' then add all three flags as in
the current `srv_parse_send_proxy_cn` function?
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796
We offer with this suggested solution a backward compatibility and
the new function is in use.
you must used "send-proxy-v2 proxy-v2-options ssl » for current
send-proxy-v2-ssl
you must used "send-proxy-v2 proxy-v2-options cert-cn » for
current
send-proxy-v2-ssl-cn
next options should be authority,cert-key,cert-sig,ssl-cipher
Maybe in the next step there could be a 'tlv' option which can
decode custom tlv's ?
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606
Just some brainstorming ;-)
What do you mean?
Haproxy is naturally a producer for ‘tlv’ options (for sure when
related to ssl). I don’t know how ‘tlv’ options (other than netns)
could be really useful to consume, passthru coud be more useful.
How about this example.
https://www.mail-archive.com/haproxy@formilux.org/msg28647.html
How to parse custom PROXY protocol v2 header for custom routing in
HAProxy configuration?
This case describes a case for AWS own header in PP2
PP2_SUBTYPE_AWS_VPCE_ID
I know it's not easy but maybe worth to discuss how to use the free
fields in PP2 for some acls
Consume and produce pp-v2 tlv are two different things.
For tlv consume, i work with Varnish and the problem is the same: where
to store them and how to use them.
I do not know of a generic solution, specially in the case of custom
tlv.
Thanks for explanation.
I also have no idea for now.
++
Manu
Best regards
aleks