]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7a1ec23)
BUG/MINOR: proto_reverse_connect: support SNI on active connect
authorAmaury Denoyelle <adenoyelle@haproxy.com>
Fri, 3 Nov 2023 10:03:49 +0000 (11:03 +0100)
committerAmaury Denoyelle <adenoyelle@haproxy.com>
Fri, 3 Nov 2023 10:11:44 +0000 (11:11 +0100)
SNI may be specify on a server line for connecting to the remote host.
This requires to manually set it on the connection via
ssl_sock_set_servername().

This step was missing when a server line was used for active reverse
HTTP. Fix this by adding the missing ssl_sock_set_servername()
invocation inside new_reverse_conn().

Note that for the moment, no session is instantiated to carry active
reverse connection. A direct consequence of this is that SNI sample
retrieval may crash depending if it depends on session parameters. This
should be fixed by a later commit. In the meantime, this patch is
sufficient to support simple SNI value such as constant expressions.

No need to backport.

src/proto_reverse_connect.c patch | blob | blame | history

diff --git a/src/proto_reverse_connect.c b/src/proto_reverse_connect.c
index e02620476c26cf8a1d76d937a284c534588de859..39bb22aeb571b8a26d1ec0b0fc97187e4174c248 100644 (file)
--- a/src/proto_reverse_connect.c
+++ b/src/proto_reverse_connect.c
@@ -10,8 +10,10 @@
 #include <haproxy/proto_tcp.h>
 #include <haproxy/protocol.h>
 #include <haproxy/proxy.h>
+#include <haproxy/sample.h>
 #include <haproxy/server.h>
 #include <haproxy/sock.h>
+#include <haproxy/ssl_sock.h>
 #include <haproxy/task.h>
 
 #include <haproxy/proto_reverse_connect.h>
@@ -74,6 +76,18 @@ static struct connection *new_reverse_conn(struct listener *l, struct server *sr
        if (conn->ctrl->connect(conn, 0) != SF_ERR_NONE)
                goto err;
 
+#ifdef USE_OPENSSL
+       if (srv->ssl_ctx.sni) {
+               struct sample *sni_smp = NULL;
+               /* TODO remove NULL session which can cause crash depending on the SNI sample expr used. */
+               sni_smp = sample_fetch_as_type(srv->proxy, NULL, NULL,
+                                              SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
+                                              srv->ssl_ctx.sni, SMP_T_STR);
+               if (smp_make_safe(sni_smp))
+                       ssl_sock_set_servername(conn, sni_smp->data.u.str.area);
+       }
+#endif /* USE_OPENSSL */
+
        if (conn_xprt_start(conn) < 0)
                goto err;
 
Mirror of https://github.com/haproxy/haproxy.git