187b1250dd
Patch introduces ACME EAB support. Configuring EAB requires two parts: Key ID and MAC Key. Key ID is an ASCII string that specifies the name of the record CA should look up. MAC Key is a base64url encoded key that is used for the sake of JWS signing, using HS256 or other algorithms. They are the credentials so must be stored securely. A thing about EAB is that it is required only during account creation so it is unexpectedly complex to think about. Some CAs provide EAB credential pair that is reused between multiple account order requests, for example ZeroSSL, but others like Google Trusted Services require an unique EAB credential for each new account creation request. There are a lot of ways config could be implemented, I decided to make so that Key ID and MAC Key are stored in separate files on disk, that decision was made because of the security concerns. File based approach in particular works well with systemd credentials, works well with systems that have config world readable, or immutable, and is compatible with existing setups that specify credentials in a file. EAB is configured through options like this in an acme section: eab-mac-alg HS512 eab-mac-key pebble.eab.mac-key eab-key-id pebble.eab.key-id I decided to not error out on empty files, but issue a log msg instead, so that credentials can be removed without changing the haproxy config. Used read_line_to_trash function from tools.c for reading files, that is something that could be replaced by a dedicated function too. No backport needed |
||
|---|---|---|
| .github | ||
| addons | ||
| admin | ||
| dev | ||
| doc | ||
| examples | ||
| include | ||
| reg-tests | ||
| scripts | ||
| src | ||
| tests | ||
| .cirrus.yml | ||
| .gitattributes | ||
| .gitignore | ||
| .mailmap | ||
| .travis.yml | ||
| BRANCHES | ||
| BSDmakefile | ||
| CHANGELOG | ||
| CONTRIBUTING | ||
| INSTALL | ||
| LICENSE | ||
| MAINTAINERS | ||
| Makefile | ||
| README.md | ||
| SUBVERS | ||
| VERDATE | ||
| VERSION | ||
HAProxy
HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
Installation
The INSTALL file describes how to build HAProxy. A list of packages is also available on the wiki.
Getting help
The discourse and the mailing-list are available for questions or configuration assistance. You can also use the slack or IRC channel. Please don't use the issue tracker for these.
The issue tracker is only for bug reports or feature requests.
Documentation
The HAProxy documentation has been split into a number of different files for ease of use. It is available in text format as well as HTML. The wiki is also meant to replace the old architecture guide.
Please refer to the following files depending on what you're looking for:
- INSTALL for instructions on how to build and install HAProxy
- BRANCHES to understand the project's life cycle and what version to use
- LICENSE for the project's license
- CONTRIBUTING for the process to follow to submit contributions
The more detailed documentation is located into the doc/ directory:
- doc/intro.txt for a quick introduction on HAProxy
- doc/configuration.txt for the configuration's reference manual
- doc/lua.txt for the Lua's reference manual
- doc/SPOE.txt for how to use the SPOE engine
- doc/network-namespaces.txt for how to use network namespaces under Linux
- doc/management.txt for the management guide
- doc/regression-testing.txt for how to use the regression testing suite
- doc/peers.txt for the peers protocol reference
- doc/coding-style.txt for how to adopt HAProxy's coding style
- doc/internals for developer-specific documentation (not all up to date)
License
HAProxy is licensed under GPL 2 or any later version, the headers under LGPL 2.1. See the LICENSE file for a more detailed explanation.