]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f841d3a)
BUG/MINOR: tcpcheck: Don't use sni as pool-conn-name for non-SSL connections 20250903-cfa-auto-sni-for-http
authorChristopher Faulet <cfaulet@haproxy.com>
Wed, 3 Sep 2025 14:50:47 +0000 (16:50 +0200)
committerChristopher Faulet <cfaulet@haproxy.com>
Wed, 3 Sep 2025 14:54:27 +0000 (16:54 +0200)
When we try to ruse connection to perform an healtcheck, the SNI, from the
tcpcheck connection or the healthcheck itself, must not be used as
connection name for non-SSL connections.

This patch must be backported to 3.2.

src/tcpcheck.c patch | blob | blame | history

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index f7ac537fb6cd18dfd0d9babc9f3e6bcb2e515c00..240d24d868f8bd198fdb49d350173afcbe8e3ec7 100644 (file)
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -1221,6 +1221,17 @@ static inline int tcpcheck_use_nondefault_connect(const struct check *check,
          (connect->options & TCPCHK_MASK_OPTS_CONNECT);
 }
 
+/* Returns true if the connect rule uses SSL. */
+static inline int tcpcheck_connect_use_ssl(const struct check *check,
+                                          const struct tcpcheck_connect *connect)
+{
+       if (connect->options & TCPCHK_OPT_SSL)
+               return 1;
+       if (connect->options & TCPCHK_OPT_DEFAULT_CONNECT)
+               return (check->xprt == xprt_get(XPRT_SSL));
+       return 0;
+}
+
 /* Evaluates a TCPCHK_ACT_CONNECT rule. Returns TCPCHK_EVAL_WAIT to wait the
  * connection establishment, TCPCHK_EVAL_CONTINUE to evaluate the next rule or
  * TCPCHK_EVAL_STOP if an error occurred.
@@ -1274,10 +1285,12 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec
 
                if (check->pool_conn_name)
                        pool_conn_name = ist(check->pool_conn_name);
-               else if (connect->sni)
-                       pool_conn_name = ist(connect->sni);
-               else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->sni)
-                       pool_conn_name = ist(check->sni);
+               else if (tcpcheck_connect_use_ssl(check, connect)) {
+                       if (connect->sni)
+                               pool_conn_name = ist(connect->sni);
+                       else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->sni)
+                               pool_conn_name = ist(check->sni);
+               }
 
                hash = be_calculate_conn_hash(s, NULL, check->sess, NULL, NULL, pool_conn_name);
                conn_err = be_reuse_connection(hash, check->sess, s->proxy, s,
Mirror of https://github.com/haproxy/haproxy.git