Merge pull request #3526 from vyos/mergify/bp/sagitta/pr-3523

reverse-proxy: T6402: Fix invalid checks in validation script (backport #3523)

Author: dmbaturin

src/conf_mode/load-balancing_reverse-proxy.py

@@ -88,22 +88,22 @@ def verify(lb):
             if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf):
                 raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"')
 
+        if 'ssl' in back_config:
+            if {'no_verify', 'ca_certificate'} <= set(back_config['ssl']):
+                raise ConfigError(f'backend {back} cannot have both ssl options no-verify and ca-certificate set!')
+
     # Check if http-response-headers are configured in any frontend/backend where mode != http
     for group in ['service', 'backend']:
         for config_name, config in lb[group].items():
             if 'http_response_headers' in config and ('mode' not in config or config['mode'] != 'http'):
                 raise ConfigError(f'{group} {config_name} must be set to http mode to use http_response_headers!')
 
-        if 'ssl' in back_config:
-            if {'no_verify', 'ca_certificate'} <= set(back_config['ssl']):
-                raise ConfigError(f'backend {back} cannot have both ssl options no-verify and ca-certificate set!')
-
     for front, front_config in lb['service'].items():
         for cert in dict_search('ssl.certificate', front_config) or []:
             verify_pki_certificate(lb, cert)
 
     for back, back_config in lb['backend'].items():
-        tmp = dict_search('ssl.ca_certificate', front_config)
+        tmp = dict_search('ssl.ca_certificate', back_config)
         if tmp: verify_pki_ca_certificate(lb, tmp)