Usage: Haproxy as SSL termination
Requirement: Our private keys are password protected and we are not allowed to remove the password for the private key
Problem:
If i run the following command haproxy -f /pathtoconf a password prompt is shown and once the password is provided haproxy starts up
To overcome this issues i have used expect script which automatically provides the password
Script to auto populate the password
#!/usr/bin/expect -f
set timeout 20
spawn nohup haproxy -f /opt/reverse-proxies/demo.cfg
expect "Enter PEM pass phrase:"
send "password\r"
expect_background
expect eof
exit
I am planning to automate it using ansible-playbook but my question is there any clean way to provide the password for private key, i did some search on this but couldn't find any configuration for the same. There were some statements from haproxy team that there is plan to provide a clean approach but couldn't make it in 1.6 and planning to do that in 1.7. I looked into release notes of 1.7 but couldn't find much on that topic. Is there any configuration which haproxy provides for private key password Or if any one has implemented a nice solution to overcome this problem could you please guide me in that direction.
My sample configuration
global
log 127.0.0.1 local2 debug
defaults
timeout connect 5000
timeout client 50000
timeout server 50000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
log global
bind *:4000 ssl crt /tmp/server.2.crt.pem
default_backend app
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
log global
mode http
server app1 127.0.0.1:4002
