From: William Manley Date: Wed, 8 May 2024 10:43:11 +0000 (+0100) Subject: MINOR: rhttp: Don't require SSL when attach-srv name parsing X-Git-Tag: v3.0-dev12~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=366b722f7e4c0bd0bbdd112530026feb85a6c577;p=thirdparty%2Fhaproxy.git MINOR: rhttp: Don't require SSL when attach-srv name parsing An attach-srv config line usually looks like this: tcp-request session attach-srv be/srv name ssl_c_s_dn(CN) while a rhttp server line usually looks like this: server srv rhttp@ sni req.hdr(host) The server sni argument is used as a key for looking up connection in the connection pool. The attach-srv name argument is used as a key for inserting connections into the pool. For it to work correctly they must match. There was a check that either both the attach-srv and server provide that key or neither does. It also checked that SSL and SNI was activated on the server. However, thanks to current connect_server() implementation, it appears that SNI is usable even without SSL to identify a connection in the pool. Thus, it can be diverted from its original intent in reverse HTTP case to serve even without SSL activated. For example, this could be useful to use `fc_pp_unique_id` as a name expression (DISCLAIMER: note that for now PROXY protocol is not compatible with rhttp). Error is still reported if either SNI or name is used without the other. This patch adjust the message to a more helpful one. Arguably it would be easier to understand if instead of using `name` and `sni` for `attach-srv` and `server` rules it used the same term in both places - like "conn-pool-key" or something. That would make it clear that the two must match. --- diff --git a/src/tcp_act.c b/src/tcp_act.c index a88fab4afe..cef2e50d32 100644 --- a/src/tcp_act.c +++ b/src/tcp_act.c @@ -520,10 +520,16 @@ static int tcp_check_attach_srv(struct act_rule *rule, struct proxy *px, char ** return 0; } - if ((rule->arg.attach_srv.name && (!srv->use_ssl || !srv->sni_expr)) || - (!rule->arg.attach_srv.name && srv->use_ssl && srv->sni_expr)) { - memprintf(err, "attach-srv rule: connection will never be used; either specify name argument in conjunction with defined SSL SNI on targeted server or none of these"); - return 0; + if (rule->arg.attach_srv.name) { + if (!srv->sni_expr) { + memprintf(err, "attach-srv rule has a name argument while server '%s/%s' does not have an sni argument; either add a sni argument to the server or remove the name argument from this attach-srv rule", ist0(be_name), ist0(sv_name)); + return 0; + } + } else { + if (srv->sni_expr) { + memprintf(err, "attach-srv rule has no name argument while server '%s/%s' has an sni argument; either add a name argument to the attach-srv rule or remove the sni argument from the server", ist0(be_name), ist0(sv_name)); + return 0; + } } rule->arg.attach_srv.srv = srv;