From 9478892614387a52b812f1d18860a57af89d3847 Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Sat, 18 Mar 2023 15:21:21 +1100
Subject: [PATCH] Allow proper ssl verification for backends (With a privately
 managed CA of course)

---
 INSTALLATION.md                      | 1 +
 haproxy/haproxy.cfg                  | 2 ++
 src/lua/scripts/register-servers.lua | 8 +++++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/INSTALLATION.md b/INSTALLATION.md
index 436299c..75f4a3c 100644
--- a/INSTALLATION.md
+++ b/INSTALLATION.md
@@ -20,6 +20,7 @@ NOTE: Use either HCAPTCHA_ or RECAPTHCA_, not both.
 - ARGON_KB - argon2 memory usage in KB
 - POW_DIFFICULTY - pow difficulty
 - POW_TYPE - type of ahsh algorithm for pow "argon2" or "sha256"
+- VERIFY_BACKEND_SSL - whether to verify backend ssl, requires you have a private CA on the proxy and using it to sign your backend certs
 
 #### Run in docker (for testing/development)
 
diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
index d4f274c..d156c81 100644
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -115,6 +115,8 @@ cache basic_cache
 	max-age 86400
 
 backend servers
+	# optional (recommended) ssl, requires CA cert installed on proxy and signeed cert on backends, you can also use "ssl verify none" but ssl can then be trivially mitm'd
+	# default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)
 	# use server based on hostname
 	use-server %[req.hdr(host),lower,map(/etc/haproxy/map/backends.map)] if TRUE
 
diff --git a/src/lua/scripts/register-servers.lua b/src/lua/scripts/register-servers.lua
index 8adce29..1cdf809 100644
--- a/src/lua/scripts/register-servers.lua
+++ b/src/lua/scripts/register-servers.lua
@@ -14,6 +14,7 @@ function setup_servers()
 	end
 	local handle = io.open("/etc/haproxy/map/hosts.map", "r")
 	local line = handle:read("*line")
+	local verify_backend_ssl = os.getenv("VERIFY_BACKEND_SSL")
 	local counter = 1
 	-- NOTE: using tcp socket to interact with runtime API because lua can't add servers
 	local tcp = core.tcp();
@@ -29,7 +30,12 @@ function setup_servers()
 		-- proxy:set_addr(backend_hostname, backend_port)
 		-- proxy:set_ready()
 		local server_name = "servers/websrv"..counter
-		tcp:send(string.format("add server %s %s check ssl verify none\n", server_name, backend_host))
+		--NOTE: if you have a proper CA setup,
+		if verify_backend_ssl ~= nil then
+			tcp:send(string.format("add server %s %s check ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)\n", server_name, backend_host))
+		else
+			tcp:send(string.format("add server %s %s check ssl verify none\n", server_name, backend_host))
+		end;
 		tcp:send(string.format("enable server %s\n", server_name))
 		line = handle:read("*line")
 		counter = counter + 1