Commit 19de1f85 authored by Chris's avatar Chris
Browse files

Make disabling haproxy-sockets explicit because of a change in configparser,...

Make disabling haproxy-sockets explicit because of a change in configparser, document arguments in the config file.
parent b924b8f9
Pipeline #8422 passed with stages
in 3 minutes and 46 seconds
......@@ -37,9 +37,14 @@ file-extensions=crt,pem,cer
;; ignore=[no-ocsp/*.crt, /etc/ssl/private/not_a_real_crt.pem]
; ignore=ssl-cert-snakeoil.key
;; Recursively scan the paths specified by --cert-paths for certificates.
; recursive
[validity]
;; Uncomment to update every staple at startup. Leave commented to try to
;; Don't re-use existing ocsp files, refresh all staples regardless of their
;; validity. By default existing staples are recycled if they are valid for
;; longer than the minimum_validity setting. Leave commented to try to
;; re-use staples that are still valid long enough (See `minimum-validity`
;; directive)
; no-recycle
......@@ -58,14 +63,22 @@ daemon
;; Amount of threads to use for the renewal process. Increasing this will only
;; help if the daemon is sitting idle, e.g. waiting for OCSP responses for
;; longerperiods of time. It can help increase concurrency to a certain point
;; but ifyou really need to fetch high volumes of staples, you should start
;; longer periods of time. It can help increase concurrency to a certain point
;; but if you really need to fetch high volumes of staples, you should start
;; more processes.
renewal-threads=5
;; How long the scheduler should sleep between each scheduling attempt.
refresh-interval=30
;; Run only a one-off staple renewal and quit stapled when done. Note that this
;; will still spawn the same amount of threads as a normal process would for
;; performance reasons as well as consistency between one-off and normal runs.
;; This setting overrides the --refresh-interval setting because a refresh is
;; not scheduled during one-off runs. The --daemon and --no-daemon/--interactive
;; arguments are also ignored.
; one-off
[logging]
;; Log to syslog, you can not set a `logdir` to only log to syslog, or
;; enable both at the same time. Uncomment to enable.
......@@ -86,6 +99,15 @@ logdir=/var/log/stapled/
;; https://cbonte.github.io/haproxy-dconv/1.7/management.html#9.3-set%20ssl%20ocsp-response
haproxy-sockets=[/var/run/haproxy/admin.sock]
;; By default stapled will try to connect to the default socket path, which can
;; be changed or set to an empty list by the --haproxy-sockets argument.
;; The --no-haproxy-sockets argument explicitly disables the haproxy socket
;; connection and overrides the --haproxy-sockets argument's paths if set.
;; Note that this does NOT disable the --haproxy-config argument, i.e.: if a
;; haproxy config is set, it will be parsed for certificate paths, without
;; matching sockets.
; no-haproxy-sockets
;; Use HAProxy config files as the source of cert-paths and socket mappings.
;; Setting this will merge your `cert-paths` with paths found in the specified
;; HAProxy config files. Sockets defined in `haproxy-sockets` will also be
......@@ -103,8 +125,3 @@ haproxy-sockets=[/var/run/haproxy/admin.sock]
;; and/or `syslog` to prevent output on stdout while logging the set verbosity
;; level to a file or syslog. Uncomment to enable
; quiet
;; Don't re-use existing ocsp files, refresh all staples regardless of their
;; validity. By default existing staples are recycled if they are valid for
;; longer than the minimum_validity setting.
; no-recycle
......@@ -217,8 +217,7 @@ def get_cli_arg_parser():
)
parser.add(
'--no-haproxy-sockets',
action='store_false',
dest='haproxy_sockets',
action='store_true',
help=(
"Disable HAProxy sockets, overrides ``--haproxy-sockets`` if "
"specified in the config file."
......@@ -348,8 +347,8 @@ def init():
# config files, de-duplicated.
cert_paths = haproxy_socket_mapping.keys()
# Determine if we need to start a stapleadder thread.
if not any(haproxy_socket_mapping.values()):
# Determine if we need to start a staple adder thread.
if args.no_haproxy_sockets or not any(haproxy_socket_mapping.values()):
haproxy_socket_mapping = None
daemon_kwargs = dict(
......@@ -501,7 +500,7 @@ def __get_haproxy_socket_mapping(args):
for path in paths:
# When certificate path is already in the mapping add the socket
# file to the mapping if haproxy_sockets is not disabled.
if args.haproxy_sockets is False:
if args.no_haproxy_sockets:
# haproxy_sockets are disabled, just ensure the path is in the
# mapping without sockets.
mapping[path] = []
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment