From: Joao Morais Date: Tue, 24 Nov 2020 11:24:30 +0000 (-0300) Subject: DOC: better describes how to configure a fallback crt X-Git-Tag: v2.4-dev2~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa8fcc4692b8c2afda455199a694067fea9e9262;p=thirdparty%2Fhaproxy.git DOC: better describes how to configure a fallback crt A default certificate is always the first one declared in the bind line, either from `crt` or from `crt-line` option. This commit updates the description of how to configure a fallback certificate, clarifying that it needs to be the first one of the bind line. Should be merged as far as the first SNI filter implementation. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index ab49c68a47..b24c61b849 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12624,13 +12624,14 @@ crt-list Empty lines as well as lines beginning with a hash ('#') will be ignored. - The first valid line declares the default certificate, which haproxy should - use in the TLS handshake if no other certificate matches, just like the crt - bind option. This certificate will also be used if the provided SNI matches - its CN or SAN, even if a matching SNI filter is declared later. The SNI filter - !* can be used after the first certificate to not include its CN and SAN in - the SNI tree, so it will never match except if no other certificate matches. - This way the first declared certificate act as a fallback. + The first declared certificate of a bind line is used as the default + certificate, either from crt or crt-list option, which haproxy should use in + the TLS handshake if no other certificate matches. This certificate will also + be used if the provided SNI matches its CN or SAN, even if a matching SNI + filter is found on any crt-list. The SNI filter !* can be used after the first + declared certificate to not include its CN and SAN in the SNI tree, so it will + never match except if no other certificate matches. This way the first + declared certificate act as a fallback. crt-list file example: cert1.pem !*