From 5d218462272bfdb70acbf10579180d61a5bcaac1 Mon Sep 17 00:00:00 2001 From: ramr Date: Mon, 30 Jul 2018 16:35:23 -0700 Subject: [PATCH] Fix router mutual tls bug if no ca is specified. fixes bugz #1608759 --- .../router/haproxy/conf/haproxy-config.template | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template index 90f73694131c..d9528548c48c 100644 --- a/images/router/haproxy/conf/haproxy-config.template +++ b/images/router/haproxy/conf/haproxy-config.template @@ -228,9 +228,11 @@ frontend fe_sni {{- if isTrue (env "ROUTER_STRICT_SNI") }} strict-sni {{ end }} {{- ""}} crt {{firstMatch ".+" .DefaultCertificate "/var/lib/haproxy/conf/default_pub_keys.pem"}} {{- ""}} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy - {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CA") }} ca-file {{.}} {{ end }} - {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CRL") }} crl-file {{.}} {{ end }} - {{- with (env "ROUTER_MUTUAL_TLS_AUTH") }} verify {{.}} {{ end }} + {{- with (env "ROUTER_MUTUAL_TLS_AUTH") }} + {{- ""}} verify {{.}} + {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CA") }} ca-file {{.}} {{ else }} ca-file /etc/ssl/certs/ca-bundle.trust.crt {{ end }} + {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CRL") }} crl-file {{.}} {{ end }} + {{- end }} {{- if isTrue (env "ROUTER_ENABLE_HTTP2") }} alpn h2,http/1.1{{ end }} mode http @@ -298,9 +300,11 @@ backend be_no_sni frontend fe_no_sni # terminate ssl on edge bind 127.0.0.1:{{env "ROUTER_SERVICE_NO_SNI_PORT" "10443"}} ssl no-sslv3 crt {{firstMatch ".+" .DefaultCertificate "/var/lib/haproxy/conf/default_pub_keys.pem"}} accept-proxy - {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CA") }} ca-file {{.}} {{ end }} - {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CRL") }} crl-file {{.}} {{ end }} - {{- with (env "ROUTER_MUTUAL_TLS_AUTH") }} verify {{.}} {{ end }} + {{- with (env "ROUTER_MUTUAL_TLS_AUTH") }} + {{- ""}} verify {{.}} + {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CA") }} ca-file {{.}} {{ else }} ca-file /etc/ssl/certs/ca-bundle.trust.crt {{ end }} + {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CRL") }} crl-file {{.}} {{ end }} + {{- end }} mode http # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)