From: Benedikt Heine Date: Mon, 30 Dec 2024 14:26:16 +0000 (+0100) Subject: doc/mgr/dashboard: Fix HAProxy TLS example X-Git-Tag: v20.0.0~468^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=cb43999432073c197c59b3c6e30fa67904fd5209;p=ceph.git doc/mgr/dashboard: Fix HAProxy TLS example With `ssl` set on the `server` option, HAProxy strips the TLS protocol for all clients. You would need to connect to it with `http://:443`. To have an active health check, which uses SSL, but does not strip it for clients, you'd need to add: - `check` to enable active health checks. - `check-ssl` to instruct the health check to use TLS - `verify none` to skip verification on the health check requests from HAProxy - _REMOVE_ `ssl` to stop stripping TLS The active health checks are required to not route any requests to the inactive managers. These would redirect to any unusable IP from the active mgr. --- Alternatively you could add another certificate in the frontend and then re-encrypt the traffic. But this would require tracking the certs also in HAProxy. Signed-off-by: Benedikt Heine --- diff --git a/doc/mgr/dashboard.rst b/doc/mgr/dashboard.rst index 696676aeb342c..e908e193198c0 100644 --- a/doc/mgr/dashboard.rst +++ b/doc/mgr/dashboard.rst @@ -1296,9 +1296,9 @@ redirection on standby nodes. mode tcp option httpchk GET / http-check expect status 200 - server x : ssl check verify none - server y : ssl check verify none - server z : ssl check verify none + server x : check check-ssl verify none + server y : check check-ssl verify none + server z : check check-ssl verify none .. _dashboard-auditing: