From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 9 Sep 2025 09:20:46 +0000 (+0200)
Subject: MINOR: check: reject invalid check config on a QUIC server
X-Git-Tag: v3.3-dev9~182
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0678d0a69b1a2a903781e33153630ae203a72aa7;p=thirdparty%2Fhaproxy.git

MINOR: check: reject invalid check config on a QUIC server

QUIC is now supported on the backend side. The previous commit ensures
that simple checks can be activated on QUIC servers without any issue.

The current patch ensures that check server settings remain compatible
with a QUIC server. Thus, configuration is now invalid if check
specifies an explicit MUX proto other than QUIC, disables SSL or try to
use PROXY protocol.
---

diff --git a/src/check.c b/src/check.c
index 03c85613f..3b046a27e 100644
--- a/src/check.c
+++ b/src/check.c
@@ -1854,6 +1854,27 @@ int init_srv_check(struct server *srv)
 
 	/* validate <srv> server health-check settings */
 
+	if (srv_is_quic(srv)) {
+		if (srv->check.mux_proto && srv->check.mux_proto != get_mux_proto(ist("quic"))) {
+			ha_alert("config: %s '%s': QUIC server '%s' uses an incompatible MUX protocol for checks.\n",
+			         proxy_type_str(srv->proxy), srv->proxy->id, srv->id);
+			ret |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+
+		if (srv->check.use_ssl < 0) {
+			ha_alert("config: %s '%s': SSL is mandatory for checks on QUIC server '%s'.\n",
+			         proxy_type_str(srv->proxy), srv->proxy->id, srv->id);
+			ret |= ERR_ALERT | ERR_FATAL;
+		}
+
+		if (srv->check.send_proxy) {
+			ha_alert("config: %s '%s': cannot use PROXY protocol for checks on QUIC server '%s'.\n",
+			         proxy_type_str(srv->proxy), srv->proxy->id, srv->id);
+			ret |= ERR_ALERT | ERR_FATAL;
+		}
+	}
+
 	/* We need at least a service port, a check port or the first tcp-check
 	 * rule must be a 'connect' one when checking an IPv4/IPv6 server.
 	 */