Hi!
I’m using haproxy in my homeserver for quite some time now and I absolutely love it!
Now I ran into a weird edge case though:
I run haproxy with ssl termination for all my backend services and have certbot on the same VM to aquire new certificates regularly. To achieve this I created an ACL as follows:
frontend http-in
bind…
[…]
acl letsencrypt_acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt if letsencrypt_acl
backend letsencrypt
server letsencrypt 127.0.0.1:9875
So far so good, now I want to run a mailcow setup in the backend which wants to obtain its own letsencrypt certificate. So I added:
acl host_mailcow hdr(host) -i mail.domain or hdr(host) -i autoconfig.domain or hdr(host) -i autodiscover.domain
use_backend mailcow if host_mailcow
Unfortunately letsencrypt challenges obviously get hijacked by the first acl (letsencrypt_acl) this way.
My solution would have been:
acl host_mailcow hdr(host) -i mail.domain or hdr(host) -i autoconfig.domain or hdr(host) -i autodiscover.domain
acl letsencrypt_acl path_beg /.well-known/acme-challenge/ and !host_mailcow
Unfortunately somehow letsencrypt_acl is valid even though host_mailcow is true (challenge is https://autoconfig.domain/.well-known/acme-challenge/censored)
How can I solve this?
2 posts - 2 participants