On Mon, Mar 16, 2015 at 9:25 PM, Claudio Luck <cluck at ethz.ch> wrote: > Hi again, > There is this comment about listen-clear-file in the sample config: > # Accept connections using a socket file. It accepts HTTP > # connections (i.e., without SSL/TLS unlike its TCP counterpart), > # and uses it as the primary channel. That option cannot be > # combined with certificate authentication. > #listen-clear-file = /var/run/ocserv-conn.socket > haproxy and nginx at least have the ability to pass the SSL certificates and > the validation exit status as headers to the request while it is forwarded > to the backend. In haproxy 1.5.7+ config speach: I don't like much the idea of passing such kind of data in-band. It will require to place lots of trust on our HTTP parser, and while it looks quite nice code, it was not designed to avoid malicious attacks on the HTTP header parsing. Does haproxy provide a way to obtain that data out-of-band? In any case this is not currently high priority for me, but if there is a clean patch I'll certainly consider adding it as an experimental feature. regards, Nikos
