Last active
August 23, 2020 04:31
-
-
Save haproxytechblog/792a2476b19d51ef4be289496b58386d to your computer and use it in GitHub Desktop.
Dynamic SSL Certificate Storage in HAProxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
# Enable the HAProxy Runtime API | |
stats socket :9999 level admin expose-fd listeners | |
frontend fe_sitea | |
mode http | |
# listen for HTTP traffic | |
bind :80 | |
# listen for HTTPS traffic, load certificates from a directory | |
bind :443 ssl crt /etc/haproxy/certs/ | |
# redirect HTTP to HTTPS | |
http-request redirect scheme https unless { ssl_fc } | |
# the pool of servers | |
default_backend servers | |
backend servers | |
server s1 172.25.0.11:8080 check | |
server s2 172.25.0.12:8080 check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Start a transaction to update the certificate | |
$ echo -e "set ssl cert /etc/haproxy/certs/site.pem <<\n$(cat ./new_certificate.pem)\n" | socat tcp-connect:172.25.0.10:9999 - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Check the pending transaction (asterisk means pending) | |
$ echo "show ssl cert" | socat tcp-connect:172.25.0.10:9999 - | |
# transaction | |
*/etc/haproxy/certs/site.pem | |
# filename | |
/etc/haproxy/certs/site.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo "show ssl cert */etc/haproxy/certs/site.pem" | socat tcp-connect:172.25.0.10:9999 - | |
Filename: */etc/haproxy/certs/site.pem | |
Status: Unused | |
Serial: 1F5202E02083861B302FFA09045721F07C865EFD | |
notBefore: Aug 12 17:05:34 2020 GMT | |
notAfter: Aug 12 17:05:34 2021 GMT | |
Subject Alternative Name: | |
Algorithm: RSA2048 | |
SHA1 FingerPrint: C2958E4ABDF89447BF0BEDEF43A1A202213B7B4C | |
Subject: /C=US/ST=Ohio/L=Columbus/O=Company/CN=example.local |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Commit the transaction so HAProxy detects the change | |
$ echo "commit ssl cert /etc/haproxy/certs/site.pem" | socat tcp-connect:172.25.0.10:9999 - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Abort the transaction and cancel the change | |
$ echo "abort ssl cert /etc/haproxy/certs/site.pem" | socat tcp-connect:172.25.0.10:9999 - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo "show ssl cert /etc/haproxy/certs/site.pem" | socat tcp-connect:172.25.0.10:9999 - | |
Filename: /etc/haproxy/certs/site.pem | |
Status: Used | |
Serial: 1F5202E02083861B302FFA09045721F07C865EFD | |
notBefore: Aug 12 17:05:34 2020 GMT | |
notAfter: Aug 12 17:05:34 2021 GMT | |
Subject Alternative Name: | |
Algorithm: RSA2048 | |
SHA1 FingerPrint: C2958E4ABDF89447BF0BEDEF43A1A202213B7B4C | |
Subject: /C=US/ST=Ohio/L=Columbus/O=Company/CN=example.local | |
Issuer: /C=US/ST=Ohio/L=Columbus/O=Company/CN=example.local |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ scp new_certificate.pem username@172.25.0.10:/etc/haproxy/certs/site.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/etc/haproxy/certs/default.pem | |
/etc/haproxy/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend fe_main | |
mode http | |
bind :80 | |
bind :443 ssl crt-list /etc/haproxy/crt-list.txt | |
http-request redirect scheme https unless { ssl_fc } | |
default_backend servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo -e "new ssl cert /etc/haproxy/certs/new_certificate.pem" | socat tcp-connect:127.0.0.1:9999 - | |
New empty certificate store '/etc/haproxy/certs/new_certificate.pem'! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo -e "set ssl cert /etc/haproxy/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | socat tcp-connect:127.0.0.1:9999 - | |
Transaction created for certificate /etc/haproxy/certs/new_certificate.pem! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo -e "commit ssl cert /etc/haproxy/certs/new_certificate.pem" | socat tcp-connect:127.0.0.1:9999 - | |
Committing /etc/haproxy/certs/new_certificate.pem | |
Success! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo -e "add ssl crt-list /etc/haproxy/cert-list.txt <<\n/etc/haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | socat tcp-connect:127.0.0.1:9999 - | |
Inserting certificate '/etc/haproxy/certs/new_certificate.pem' in crt-list '/etc/haproxy/cert-list.txt'. | |
Success! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo "show ssl crt-list /etc/haproxy/cert-list.txt" | socat tcp-connect:127.0.0.1:9999 -# /etc/haproxy/cert-list.txt | |
/etc/haproxy/certs/site.pem | |
/etc/haproxy/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local | |
/etc/haproxy/certs/new_certificate.pem [alpn h2] mysite.local |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment