This command is restricted and can only be issued on sockets configured for
level "admin".
-dump ssl crt-list <filename>
- Dump the content of a crt-list or a directory. Once dumped the output can be
- used as a crt-list file.
-
- Example:
- echo "dump ssl crt-list localhost.crt-list" | socat /tmp/sock1 -
- # localhost.crt-list
- common.pem !not.test1.com *.test1.com !localhost
- common.pem
- ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
- ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
-
enable agent <backend>/<server>
Resume auxiliary agent check that was temporarily stopped.
Filename: *test.local.pem
[...]
-show ssl crt-list [<filename>]
+show ssl crt-list [-n] [<filename>]
Display the list of crt-list and directories used in the HAProxy
- configuration. If a directory or a crt-list is specified, displays its
- content. Does not use this command to dump your crt-list configuration as it
- provides extra informations not compatible with the crt-list. To dump a
- crt-list, use the "dump ssl crt-list" command instead.
+ configuration. If a filename is specified, dump the content of a crt-list or
+ a directory. Once dumped the output can be used as a crt-list file.
+ The '-n' option can be used to display the line number, which is useful when
+ combined with the 'del ssl crt-list' option when a entry is duplicated. The
+ output with the '-n' option is not compatible with the crt-list format and
+ not loadable by haproxy.
Example:
- echo "show ssl crt-list localhost.crt-list" | socat /tmp/sock1 -
+ echo "show ssl crt-list -n localhost.crt-list" | socat /tmp/sock1 -
# localhost.crt-list
- 0x55db301c29a0 common.pem !not.test1.com *.test1.com !localhost
- 0x55db301f99e0 common.pem
- 0x7fb6f40220b0 ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
- 0x55db30277070 ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
+ common.pem:1 !not.test1.com *.test1.com !localhost
+ common.pem:2
+ ecdsa.pem:3 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
+ ecdsa.pem:4 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
show resolvers [<resolvers section id>]
Dump statistics for the given resolvers section, or all resolvers sections
memcpy(dir->node.key, path, strlen(path) + 1);
dir->entries = EB_ROOT_UNIQUE; /* it's a directory, files are unique */
dir->bind_conf = NULL;
+ dir->linecount = 0;
LIST_INIT(&dir->ord_entries);
n = scandir(path, &de_list, 0, alphasort);
}
/* directories don't use ssl_conf and filters */
+ entry->linenum = 0;
entry->fcount = 0;
entry->filters = NULL;
entry->ssl_conf = NULL;
goto error;
}
}
-
+ entry->linenum = linenum;
entry->ssl_conf = ssl_conf;
entry->filters = crtlist_dup_filters(&args[cur_arg], arg - cur_arg - 1);
entry->fcount = arg - cur_arg - 1;
if (cfgerr & ERR_CODE)
goto error;
+ newlist->linecount = linenum;
+
fclose(f);
*crtlist = newlist;
store = entry->node.key;
filename = store->path;
- if (appctx->ctx.cli.i0 == 's') /* show */
- chunk_appendf(trash, "%p ", entry);
chunk_appendf(trash, "%s", filename);
+ if (appctx->ctx.cli.i0 == 's') /* show */
+ chunk_appendf(trash, ":%d", entry->linenum);
dump_crtlist_sslconf(trash, entry->ssl_conf);
dump_crtlist_filters(trash, entry);
chunk_appendf(trash, "\n");
static int cli_parse_dump_crtlist(char **args, char *payload, struct appctx *appctx, void *private)
{
struct ebmb_node *lnode;
+ char *filename = NULL;
int mode;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
appctx->ctx.cli.p0 = NULL;
appctx->ctx.cli.p1 = NULL;
- mode = (int)args[0][0]; /* 'd' or 's' */
- if (mode == 'd' && !*args[3])
- return cli_err(appctx, "'dump ssl crt-list' expects a filename or a directory\n");
+ if (*args[3] && !strcmp(args[3], "-n")) {
+ mode = 's';
+ filename = args[4];
+ } else {
+ mode = 'd';
+ filename = args[3];
+ }
- if (*args[3]) {
- lnode = ebst_lookup(&crtlists_tree, args[3]);
+ if (mode == 's' && !*args[4])
+ return cli_err(appctx, "'show ssl crt-list -n' expects a filename or a directory\n");
+
+ if (filename && *filename) {
+ lnode = ebst_lookup(&crtlists_tree, filename);
if (lnode == NULL)
return cli_err(appctx, "didn't find the specified filename\n");
ssl_sock_load_cert_sni(new_inst, new_inst->bind_conf);
HA_RWLOCK_WRUNLOCK(SNI_LOCK, &new_inst->bind_conf->sni_lock);
}
+ entry->linenum = ++crtlist->linecount;
appctx->st2 = SETCERT_ST_FIN;
goto end;
}
{ { "show", "ssl", "cert", NULL }, "show ssl cert [<certfile>] : display the SSL certificates used in memory, or the details of a <certfile>", cli_parse_show_cert, cli_io_handler_show_cert, cli_release_show_cert },
{ { "add", "ssl", "crt-list", NULL }, "add ssl crt-list <filename> <certfile> [options] : add a line <certfile> to a crt-list <filename>", cli_parse_add_crtlist, cli_io_handler_add_crtlist, cli_release_add_crtlist },
{ { "del", "ssl", "crt-list", NULL }, "del ssl crt-list <filename> <certfile[:line]> : delete a line <certfile> in a crt-list <filename>", cli_parse_del_crtlist, NULL, NULL },
- { { "dump", "ssl", "crt-list", NULL }, "dump ssl crt-list <filename> : dump the content of a crt-list <filename>", cli_parse_dump_crtlist, cli_io_handler_dump_crtlist, NULL },
- { { "show", "ssl", "crt-list", NULL }, "show ssl crt-list [<filename>] : show the list of crt-lists or the content of a crt-list <filename>", cli_parse_dump_crtlist, cli_io_handler_dump_crtlist, NULL },
+ { { "show", "ssl", "crt-list", NULL }, "show ssl crt-list [-n] [<filename>] : show the list of crt-lists or the content of a crt-list <filename>", cli_parse_dump_crtlist, cli_io_handler_dump_crtlist, NULL },
{ { NULL }, NULL, NULL, NULL }
}};
projects / thirdparty / haproxy.git / commitdiff
