Hi, I have installed haproxy 1.8.7 and get problem with CRL list - even when I revoke a user’s certificate, the page appears to him.
test1 is my test user
-
CERT REVOKE:
openssl ca -config /root/ca/intermediate/openssl.cnf -revoke /root/ca/users_certs/test1/test1.crt -
REGENERATE CRL
openssl ca -config /root/ca/intermediate/openssl.cnf -gencrl -out /root/ca/intermediate/crl/intermediate.crl -
ORDER CERT CHAIN IN HAPROXY CONFIG FILE (ca_chain.crt)
— INTERMEDIATE CERT —
— CA CERT — -
ORDER CRL CHAIN IN HAPORXY CONFIG FILE (crl.pem)
— INTERMEDIATE CRL —
— CA CRL — -
ORDER FILES IN my.page.pem FILE
— PRIVATE KEY WITHOUT PASSWORD —
— my.page CERT SIGNED BY INTERMEDIATE CERT — -
Full /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon# Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 maxconn 2048 tune.ssl.default-dh-param 2048 defaults log global mode http option forwardfor option http-server-close option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http stats enable stats uri /stats stats realm Haproxy\ Statistics stats auth user:password frontend www-http_my-page bind 192.168.0.211:80 reqadd X-Forwarded-Proto:\ http default_backend www-backend_my-page frontend www-https_my-page bind 192.168.0.211:443 transparent ssl crt /etc/ssl/private/my.page.pem ca-file /etc/haproxy/cert/ca_chain.crt verify required crt-ignore-err all crl-file /etc/haproxy/cert/crl.pem reqadd X-Forwarded-Proto:\ https default_backend www-backend_my-page backend www-backend_my-page redirect scheme https if !{ ssl_fc } balance roundrobin cookie SERVERID insert indirect nocache server web1 192.168.0.212:80 check cookie web1 server web2 192.168.0.213:80 check cookie web2