MINOR: checks: Add a new keyword to specify a SNI when doing SSL checks.

Add a new keyword, "check-sni", to be able to specify the SNI to be used when
doing health checks over SSL.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 934f87759aa7629a5888fa7001c0cfde0663191d..1421808b88d804400f6dd1c4ec7e1a55a5a4bdc2 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10970,6 +10970,10 @@ check-send-proxy
   "check-send-proxy" option needs to be used to force the use of the
   protocol. See also the "send-proxy" option for more information.
 
+check-sni
+  This option allows you to specify the SNI to be used when doing health checks
+  over SSL.
+
 check-ssl
   This option forces encryption of all health checks over SSL, regardless of
   whether the server uses SSL or not for the normal traffic. This is generally

diff --git a/include/types/checks.h b/include/types/checks.h
index 283ff3dbed3b7b23a1a3c2ef4a10ed68c74ccf02..3559f2d5283585ad16405f3f778acfe8c3610dda 100644 (file)
--- a/include/types/checks.h
+++ b/include/types/checks.h
@@ -184,6 +184,7 @@ struct check {
        char **envp;                            /* the environment to use if running a process-based check */
        struct pid_list *curpid;                /* entry in pid_list used for current process-based test, or -1 if not in test */
        struct sockaddr_storage addr;           /* the address to check */
+       char *sni;                              /* Server name */
 };
 
 struct check_status {

diff --git a/src/checks.c b/src/checks.c
index c02935cf082b56afbde7f91844c8cbe8c5c43f8c..413365b2429fe00380a16126b4724d4eebc6e96a 100644 (file)
--- a/src/checks.c
+++ b/src/checks.c
@@ -60,6 +60,10 @@
 #include <proto/dns.h>
 #include <proto/proto_udp.h>
 
+#ifdef USE_OPENSSL
+#include <proto/ssl_sock.h>
+#endif /* USE_OPENSSL */
+
 static int httpchk_expect(struct server *s, int done);
 static int tcpcheck_get_step_id(struct check *);
 static char * tcpcheck_get_step_comment(struct check *, int);
@@ -1597,6 +1601,10 @@ static int connect_conn_chk(struct task *t)
        ret = SF_ERR_INTERNAL;
        if (proto && proto->connect)
                ret = proto->connect(conn, check->type, quickack ? 2 : 0);
+#ifdef USE_OPENSSL
+       if (s->check.sni)
+               ssl_sock_set_servername(conn, s->check.sni);
+#endif
        if (s->check.send_proxy && !(check->state & CHK_ST_AGENT)) {
                conn->send_proxy_ofs = 1;
                conn->flags |= CO_FL_SEND_PROXY;

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 774a5a683d968fa593e63f73e36ccb62c833ab36..1d00b42e4ae01f0da491c4b61b2369f4323ee87d 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7075,6 +7075,24 @@ static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct
        return 0;
 }
 
+/* parse the "check-sni" server keyword */
+static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+       if (!*args[*cur_arg + 1]) {
+               if (err)
+                       memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+
+       newsrv->check.sni = strdup(args[*cur_arg + 1]);
+       if (!newsrv->check.sni) {
+               memprintf(err, "'%s' : failed to allocate memory", args[*cur_arg]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+       return 0;
+
+}
+
 /* parse the "check-ssl" server keyword */
 static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -8031,6 +8049,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
        { "ca-file",                 srv_parse_ca_file,            1, 1 }, /* set CAfile to process verify server cert */
+       { "check-sni",               srv_parse_check_sni,          1, 1 }, /* set SNI */
        { "check-ssl",               srv_parse_check_ssl,          0, 1 }, /* enable SSL for health checks */
        { "ciphers",                 srv_parse_ciphers,            1, 1 }, /* select the cipher suite */
        { "crl-file",                srv_parse_crl_file,           1, 1 }, /* set certificate revocation list file use on server cert verify */