MEDIUM: checks: enable the PROXY protocol with health checks

When health checks are configured on a server which has the send-proxy
directive and no "port" nor "addr" settings, the health check connections
will automatically use the PROXY protocol. If "port" or "addr" are set,
the "check-send-proxy" directive may be used to force the protocol.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index d4ad1072cbf2ab0cfc43c06a0b8f3a059177d68e..eba05b4111833f0346c651915cb6f5f82f60b71d 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7024,6 +7024,17 @@ check
 
   Supported in default-server: No
 
+check-send-proxy
+  This option forces emission of a PROXY protocol line with outgoing health
+  checks, regardless of whether the server uses send-proxy or not for the
+  normal traffic. By default, the PROXY protocol is enabled for health checks
+  if it is already enabled for normal traffic and if no "port" nor "addr"
+  directive is present. However, if such a directive is present, the
+  "check-send-proxy" option needs to be used to force the use of the
+  protocol. See also the "send-proxy" option for more information.
+
+  Supported in default-server: No
+
 check-ssl
   This option forces encryption of all health checks over SSL, regardless of
   whether the server uses SSL or not for the normal traffic. This is generally
@@ -7301,8 +7312,11 @@ send-proxy
   are supported. Other families such as Unix sockets, will report an UNKNOWN
   family. Servers using this option can fully be chained to another instance of
   haproxy listening with an "accept-proxy" setting. This setting must not be
-  used if the server isn't aware of the protocol. See also the "accept-proxy"
-  option of the "bind" keyword.
+  used if the server isn't aware of the protocol. When health checks are sent
+  to the server, the PROXY protocol is automatically used when this option is
+  set, unless there is an explicit "port" or "addr" directive, in which case an
+  explicit "check-send-proxy" directive would also be needed to use the PROXY
+  protocol. See also the "accept-proxy" option of the "bind" keyword.
 
   Supported in default-server: No
 

diff --git a/include/types/server.h b/include/types/server.h
index 864b56ea45970d3f83d8ca3d2b61dc2bdf683240..acfdeafc4fec1b3ed06e4eea78c27f6d6a75ab87 100644 (file)
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -169,6 +169,7 @@ struct server {
                short status, code;             /* check result, check code */
                char desc[HCHK_DESC_LEN];       /* health check descritpion */
                int use_ssl;                    /* use SSL for health checks */
+               int send_proxy;                 /* send a PROXY protocol header with checks */
        } check;
 
 #ifdef USE_OPENSSL

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 3f785ce138e847619d0c077c4859f78da5c73496..c6b0235a1e5e28fe17de43844c19d57c721f48fd 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4145,6 +4145,10 @@ stats_error_parsing:
                                newsrv->state |= SRV_SEND_PROXY;
                                cur_arg ++;
                        }
+                       else if (!defsrv && !strcmp(args[cur_arg], "check-send-proxy")) {
+                               newsrv->check.send_proxy = 1;
+                               cur_arg ++;
+                       }
                        else if (!strcmp(args[cur_arg], "weight")) {
                                int w;
                                w = atol(args[cur_arg + 1]);
@@ -4566,8 +4570,10 @@ stats_error_parsing:
                         * same as for the production traffic. Otherwise we use raw_sock by
                         * default, unless one is specified.
                         */
-                       if (!newsrv->check.port && !is_addr(&newsrv->check.addr))
+                       if (!newsrv->check.port && !is_addr(&newsrv->check.addr)) {
                                newsrv->check.use_ssl |= newsrv->use_ssl;
+                               newsrv->check.send_proxy |= (newsrv->state & SRV_SEND_PROXY);
+                       }
 
                        /* try to get the port from check.addr if check.port not set */
                        if (!newsrv->check.port)

diff --git a/src/checks.c b/src/checks.c
index 52f70d2468be2fc58b936617f666e30d5a57fc5c..7895e5d4cc39073ffdda300528910ed62a4c2454 100644 (file)
--- a/src/checks.c
+++ b/src/checks.c
@@ -1331,6 +1331,8 @@ static struct task *process_chk(struct task *t)
                 */
                ret = s->check.proto->connect(conn, 1);
                conn->flags |= CO_FL_WAKE_DATA;
+               if (s->check.send_proxy)
+                       conn->flags |= CO_FL_LOCAL_SPROXY;
 
                switch (ret) {
                case SN_ERR_NONE: