mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 22:01:31 +02:00
Code Issues Projects Releases Wiki Activity

DOC: configuration: update configuration on how to have multiple default certs

Browse Source 
HAProxy now allows to configure default certificates with SNI filters or
multi-cert bundle.
This commit is contained in:
William Lallemand 2024-01-12 17:01:30 +01:00
parent 83a0cde207
commit 47bae78147
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/configuration.txt
View File

@ -15473,7 +15473,12 @@ crt <cert>
match any certificate, then the first loaded certificate will be presented. match any certificate, then the first loaded certificate will be presented.
This means that when loading certificates from a directory, it is highly This means that when loading certificates from a directory, it is highly
recommended to load the default one first as a file or to ensure that it will recommended to load the default one first as a file or to ensure that it will
always be the first one in the directory. always be the first one in the directory. In order to chose multiple default
certificates (1 rsa and 1 ecdsa), there are 2 options:
- A multi-cert bundle can be configured as the first certificate
(`crt foobar.pem` in the configuration where the existing files
are `foobar.pem.ecdsa` and `foobar.pem.rsa`.
- Or a '*' filter for each certificate in a crt-list line.
Note that the same cert may be loaded multiple times without side effects. Note that the same cert may be loaded multiple times without side effects.
@ -15560,7 +15565,10 @@ crt-list <file>
filter is found on any crt-list. The SNI filter !* can be used after the first filter is found on any crt-list. The SNI filter !* can be used after the first
declared certificate to not include its CN and SAN in the SNI tree, so it will declared certificate to not include its CN and SAN in the SNI tree, so it will
never match except if no other certificate matches. This way the first never match except if no other certificate matches. This way the first
declared certificate act as a fallback. declared certificate act as a fallback. It is also possible to declare a '*'
filter, which will allow to chose this certificate as default. When multiple
default certificates are defined, HAProxy is able to chose the right ECDSA or
RSA one depending on what the client supports.
When no ALPN is set, the "bind" line's default one is used. If a "bind" line When no ALPN is set, the "bind" line's default one is used. If a "bind" line
has no "no-alpn", "alpn" nor "npn" set, a default value will be used has no "no-alpn", "alpn" nor "npn" set, a default value will be used
@ -15574,6 +15582,8 @@ crt-list <file>
cert2.pem [alpn h2,http/1.1] cert2.pem [alpn h2,http/1.1]
certW.pem *.domain.tld !secure.domain.tld certW.pem *.domain.tld !secure.domain.tld
certS.pem [curves X25519:P-256 ciphers ECDHE-ECDSA-AES256-GCM-SHA384] secure.domain.tld certS.pem [curves X25519:P-256 ciphers ECDHE-ECDSA-AES256-GCM-SHA384] secure.domain.tld
default.pem.rsa *
default.pem.ecdsa *
defer-accept defer-accept
Is an optional keyword which is supported only on certain Linux kernels. It Is an optional keyword which is supported only on certain Linux kernels. It