BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks

Lasse Birnbaum Jensen reported an issue when agent checks are used at the same
time as standard healthchecks when SSL is enabled on the server side.

The symptom is that agent checks try to communicate in SSL while it should
manage raw data. This happens because the transport layer is shared between all
kind of checks.

To fix the issue, the transport layer is now stored in each check type,
allowing to use SSL healthchecks when required, while an agent check should
always use the raw_sock implementation.

The fix must be backported to 1.5.

diff --git a/include/types/checks.h b/include/types/checks.h
index d09d3e4a766a6cca08993cfac997536bf58b7a4a..2ffbc2927ade423f2bb81782f447912c973f7396 100644 (file)
--- a/include/types/checks.h
+++ b/include/types/checks.h
@@ -129,6 +129,7 @@ enum {
 };
 
 struct check {
+       struct xprt_ops *xprt;                  /* transport layer operations for health checks */
        struct connection *conn;                /* connection state for health checks */
        unsigned short port;                    /* the port to use for the health checks */
        struct buffer *bi, *bo;                 /* input and output buffers to send/recv check */
@@ -136,7 +137,7 @@ struct check {
        struct timeval start;                   /* last health check start time */
        long duration;                          /* time in ms took to finish last health check */
        short status, code;                     /* check result, check code */
-       char desc[HCHK_DESC_LEN];               /* health check descritpion */
+       char desc[HCHK_DESC_LEN];               /* health check description */
        int use_ssl;                            /* use SSL for health checks */
        int send_proxy;                         /* send a PROXY protocol header with checks */
        struct tcpcheck_rule *current_step;     /* current step when using tcpcheck */

diff --git a/include/types/server.h b/include/types/server.h
index 94f9a0fe248bfeaa0a633682ca1bb952d05bc217..5798fab4e16180bd668ff9c0fabe9b5f13810a04 100644 (file)
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -202,7 +202,6 @@ struct server {
 
        struct {                                /* configuration  used by health-check and agent-check */
                struct protocol *proto;         /* server address protocol for health checks */
-               struct xprt_ops *xprt;          /* transport layer operations for health checks */
                struct sockaddr_storage addr;   /* the address to check, if different from <addr> */
        } check_common;
 

diff --git a/src/checks.c b/src/checks.c
index 15a3c40a906982abcecd82cf1bb38750ab9f7549..5dc95b2a2825a4e854ceb8d62ccd6dc15cf79883 100644 (file)
--- a/src/checks.c
+++ b/src/checks.c
@@ -1419,7 +1419,7 @@ static int connect_conn_chk(struct task *t)
 
        /* prepare a new connection */
        conn_init(conn);
-       conn_prepare(conn, s->check_common.proto, s->check_common.xprt);
+       conn_prepare(conn, s->check_common.proto, check->xprt);
        conn_attach(conn, check, &check_conn_cb);
        conn->target = &s->obj_type;
 

diff --git a/src/server.c b/src/server.c
index fdb63cc33a2d68d18bd9845c897cf361b9ef03a5..94a31b6659bed753184c3e6385d3f8d04e5ad17b 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -929,7 +929,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 
                        newsrv->addr = *sk;
                        newsrv->proto = newsrv->check_common.proto = protocol_by_family(newsrv->addr.ss_family);
-                       newsrv->xprt  = newsrv->check_common.xprt  = &raw_sock;
+                       newsrv->xprt  = newsrv->check.xprt = newsrv->agent.xprt = &raw_sock;
 
                        if (!newsrv->proto) {
                                Alert("parsing [%s:%d] : Unknown protocol family %d '%s'\n",

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e8a3df9d0025b564bc503be068f48e9b219df424..a8b4ea8cd044ced618b3509c87bb90de88059ca3 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1825,7 +1825,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
        if (srv->use_ssl)
                srv->xprt = &ssl_sock;
        if (srv->check.use_ssl)
-               srv->check_common.xprt = &ssl_sock;
+               srv->check.xprt = &ssl_sock;
 
        srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
        if (!srv->ssl_ctx.ctx) {