MEDIUM: check: do not auto configure SSL/PROXY for dynamic servers

For server checks, SSL and PROXY is automatically inherited from the
server settings if no specific check port is specified. Change this
behavior for dynamic servers : explicit "check-ssl"/"check-send-proxy"
are required for them.

Without this change, it is impossible to add a dynamic server with
SSL/PROXY settings and checks without, if the check port is not
explicit. This is because "no-check-ssl"/"no-check-send-proxy" keywords
are not available for dynamic servers.

This change respects the principle that dynamic servers on the CLI
should not reuse the same shortcuts used during the config file parsing.
Mostly because we expect this feature to be manipulated by automated
tools, contrary to the config file which should aim to be the shortest
possible for human readability.

Update the documentation of the "check" keyword to reflect this change.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 583df47733881e83b1d177926875a62b385fe710..e1ae117b005ef93390f6e4694eac61a186d9dac8 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -14435,7 +14435,8 @@ check
       transport layer. This means TCP by default, or SSL/TLS when "ssl" or
       "check-ssl" are set, both possibly combined with connection prefixes such
       as a PROXY protocol header when "send-proxy" or "check-send-proxy" are
-      set.
+      set. This behavior is slightly different for dynamic servers, read the
+      following paragraphs for more details.
     - when set and an application-level health check is defined, the
       application-level exchanges are performed on top of the configured
       transport layer and the server is considered available if all of the
@@ -14449,6 +14450,11 @@ check
   parameters are not reused. One must explicitly set "check-send-proxy" to send
   connection headers, "check-ssl" to use SSL/TLS.
 
+  Note that the implicit configuration of ssl and PROXY protocol is not
+  performed for dynamic servers. In this case, it is required to explicitely
+  use "check-ssl" and "check-send-proxy" when wanted, even if the check port is
+  not overridden.
+
   When "sni" or "alpn" are set on the server line, their value is not used for
   health checks and one must use "check-sni" or "check-alpn".
 

diff --git a/src/check.c b/src/check.c
index 413ef3fdae9e33b36aa5b9771178f8267fb3d99f..da2deab37ccedb9d2a8775042f6d6ad17fca2046 100644 (file)
--- a/src/check.c
+++ b/src/check.c
@@ -1566,22 +1566,33 @@ int init_srv_check(struct server *srv)
 
        check_type = srv->check.tcpcheck_rules->flags & TCPCHK_RULES_PROTO_CHK;
 
-       /* If neither a port nor an addr was specified and no check transport
-        * layer is forced, then the transport layer used by the checks is the
-        * same as for the production traffic. Otherwise we use raw_sock by
-        * default, unless one is specified.
-        */
-       if (!srv->check.port && !is_addr(&srv->check.addr)) {
-               if (!srv->check.use_ssl && srv->use_ssl != -1) {
-                       srv->check.use_ssl = srv->use_ssl;
-                       srv->check.xprt    = srv->xprt;
+       if (!(srv->flags & SRV_F_DYNAMIC)) {
+               /* If neither a port nor an addr was specified and no check
+                * transport layer is forced, then the transport layer used by
+                * the checks is the same as for the production traffic.
+                * Otherwise we use raw_sock by default, unless one is
+                * specified.
+                */
+               if (!srv->check.port && !is_addr(&srv->check.addr)) {
+                       if (!srv->check.use_ssl && srv->use_ssl != -1) {
+                               srv->check.use_ssl = srv->use_ssl;
+                               srv->check.xprt    = srv->xprt;
+                       }
+                       else if (srv->check.use_ssl == 1)
+                               srv->check.xprt = xprt_get(XPRT_SSL);
+                       srv->check.send_proxy |= (srv->pp_opts);
                }
                else if (srv->check.use_ssl == 1)
                        srv->check.xprt = xprt_get(XPRT_SSL);
-               srv->check.send_proxy |= (srv->pp_opts);
        }
-       else if (srv->check.use_ssl == 1)
-               srv->check.xprt = xprt_get(XPRT_SSL);
+       else {
+               /* For dynamic servers, check-ssl and check-send-proxy must be
+                * explicitely defined even if the check port was not
+                * overridden.
+                */
+               if (srv->check.use_ssl == 1)
+                       srv->check.xprt = xprt_get(XPRT_SSL);
+       }
 
        /* Inherit the mux protocol from the server if not already defined for
         * the check