mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-09-24 15:21:29 +02:00
87fd994727
This patch implements the ability to load a certificate directory with the "ca-file" directive. The X509_STORE_load_locations() API does not allow to cache a directory in memory at startup, it only references the directory to allow a lookup of the files when needed. But that is not compatible with the way HAProxy works, without any access to the filesystem. The current implementation loads every ".pem", ".crt", ".cer", and ".crl" available in the directory which is what is done when using c_rehash and X509_STORE_load_locations(). Those files are cached in the same X509_STORE referenced by the directory name. When looking at "show ssl ca-file", everything will be shown in the same entry. This will eventually allow to load more easily the CA of the system, which could already be done with "ca-file /etc/ssl/certs" in the configuration. Loading failure intentionally emit a warning instead of an alert, letting HAProxy starts when one of the files can't be loaded. Known limitations: - There is a bug in "show ssl ca-file", once the buffer is full, the iohandler is not called again to output the next entries. - The CLI API is kind of limited with this, since it does not allow to add or remove a entry in a particular ca-file. And with a lot of CAs you can't push them all in a buffer. It probably needs a "add ssl ca-file" like its done with the crt-list. Fix issue #1476.
The HAProxy documentation has been split into a number of different files for ease of use. Please refer to the following files depending on what you're looking for : - INSTALL for instructions on how to build and install HAProxy - BRANCHES to understand the project's life cycle and what version to use - LICENSE for the project's license - CONTRIBUTING for the process to follow to submit contributions The more detailed documentation is located into the doc/ directory : - doc/intro.txt for a quick introduction on HAProxy - doc/configuration.txt for the configuration's reference manual - doc/lua.txt for the Lua's reference manual - doc/SPOE.txt for how to use the SPOE engine - doc/network-namespaces.txt for how to use network namespaces under Linux - doc/management.txt for the management guide - doc/regression-testing.txt for how to use the regression testing suite - doc/peers.txt for the peers protocol reference - doc/coding-style.txt for how to adopt HAProxy's coding style - doc/internals for developer-specific documentation (not all up to date)