Ssl connection with httpclient API

Hi,

I am using an action, from where I will connect with external server and return an action. I written using lua and used api httpclient or socket. Everything works fine without SSL.
But for the production system, I need to make this API’s to work with SSL. I need to understand how to use the cert.pem security file to make this work with the HAProxy action.

Below are the code snippets.


HaProxy.cfg

global
log /dev/log local0 debug
lua-load /etc/haproxy/ipchecker.lua
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

httpclient.ssl.ca-file /etc/ssl/certs/cert.pem
httpclient.ssl.verify none

defaults
log global
mode http
option httplog
timeout connect 20s
timeout client 30s
timeout server 30s
timeout http-request 30s
option dontlognull
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h # for websocket
timeout http-request 30s
frontend fe_main
mode http
bind *:80 v4v6
http-request scheme https lua.checkip 127.0.0.1 5000
http-request deny if { var(req.blocked) -m bool }
default_backend be_servers

backend be_servers
balance roundrobin
server server1 127.0.0.1:666 check maxconn 30


my lua file

– The contents of this file are Copyright (c) 2019. HAProxy Technologies. All Rights Reserved.

– This file is subject to the terms and conditions defined in
– file ‘LICENSE’, which is part of this source code package.

local function check_ip(txn, addr, port)
if not addr then addr = ‘127.0.0.1’ end
if not port then port = 5000 end

local hdrs = {
    [1] = string.format('host: %s:%s', addr, port),
    [2] = 'accept: */*',
    [3] = 'connection: close'
}

local httpclient = core.httpclient()
local response = httpclient:get{url="http://127.0.0.1:5000/", headers=hrds}

for key, value in pairs(response.headers) do
    if (type(value) == "table") then
       -- do stuff
       for key1, value1 in pairs(value) do
          core.log(core.notice, string.format("\"%s\":%s", key, value1))
       end
    else
       -- do other stuff instead
       core.log(core.notice, string.format("\"%s\":%s", key, value))
    end
end

core.log(core.notice, string.format("Called Ananda dadsdsdsddsds %d %s %s", response.status, response.reason,
response.body))

if response.body and response.body == ‘allow’ then
txn:set_var(‘req.blocked’, false)
return
end

-- Set up a request to the service
--[[local hdrs = {
    [1] = string.format('host: %s:%s', addr, port),
    [2] = 'accept: */*',
    [3] = 'connection: close'
}

local req = {
    [1] = string.format('GET / HTTP/1.1'),
    [2] = table.concat(hdrs, '\r\n'),
    [3] = '\r\n'
}

req = table.concat(req,  '\r\n')

-- Use core.tcp to get an instance of the Socket class
local socket = core.tcp()
socket:settimeout(5)

core.log(core.notice, string.format("Called Ananda dadsdsdsddsds --> %s", req))

-- Connect to the service and send the request

if socket:connect(addr, port) then
if socket:send(req) then
– Get response body, if any
while true do
local line, _ = socket:receive(‘*l’)
core.log(core.notice, string.format(“headers → %s”, line))
if not line then break end
if line == ‘’ then break end
end

        local content = socket:receive('*a')
        core.log(core.notice, string.format("resp --> %s", content))

        -- Check if this request should be allowed
        if content and content == 'allow' then
            txn:set_var('req.blocked', false)
            return
        end
    else
        core.Alert('Could not connect to IP Checker server (send)')
    end

    socket:close()
else
    core.Alert('Could not connect to IP Checker server (connect)')
end]]

-- The request should be blocked
txn:set_var('req.blocked', true)

end

core.register_action(‘checkip’, {‘http-req’}, check_ip, 2)