From: Willy Tarreau Date: Thu, 4 Oct 2012 22:04:16 +0000 (+0200) Subject: MEDIUM: checks: enable the PROXY protocol with health checks X-Git-Tag: v1.5-dev13~199 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c16adc661be22516f5904d949913bba8928bf0b;p=thirdparty%2Fhaproxy.git MEDIUM: checks: enable the PROXY protocol with health checks When health checks are configured on a server which has the send-proxy directive and no "port" nor "addr" settings, the health check connections will automatically use the PROXY protocol. If "port" or "addr" are set, the "check-send-proxy" directive may be used to force the protocol. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index d4ad1072cb..eba05b4111 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -7024,6 +7024,17 @@ check Supported in default-server: No +check-send-proxy + This option forces emission of a PROXY protocol line with outgoing health + checks, regardless of whether the server uses send-proxy or not for the + normal traffic. By default, the PROXY protocol is enabled for health checks + if it is already enabled for normal traffic and if no "port" nor "addr" + directive is present. However, if such a directive is present, the + "check-send-proxy" option needs to be used to force the use of the + protocol. See also the "send-proxy" option for more information. + + Supported in default-server: No + check-ssl This option forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic. This is generally @@ -7301,8 +7312,11 @@ send-proxy are supported. Other families such as Unix sockets, will report an UNKNOWN family. Servers using this option can fully be chained to another instance of haproxy listening with an "accept-proxy" setting. This setting must not be - used if the server isn't aware of the protocol. See also the "accept-proxy" - option of the "bind" keyword. + used if the server isn't aware of the protocol. When health checks are sent + to the server, the PROXY protocol is automatically used when this option is + set, unless there is an explicit "port" or "addr" directive, in which case an + explicit "check-send-proxy" directive would also be needed to use the PROXY + protocol. See also the "accept-proxy" option of the "bind" keyword. Supported in default-server: No diff --git a/include/types/server.h b/include/types/server.h index 864b56ea45..acfdeafc4f 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -169,6 +169,7 @@ struct server { short status, code; /* check result, check code */ char desc[HCHK_DESC_LEN]; /* health check descritpion */ int use_ssl; /* use SSL for health checks */ + int send_proxy; /* send a PROXY protocol header with checks */ } check; #ifdef USE_OPENSSL diff --git a/src/cfgparse.c b/src/cfgparse.c index 3f785ce138..c6b0235a1e 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4145,6 +4145,10 @@ stats_error_parsing: newsrv->state |= SRV_SEND_PROXY; cur_arg ++; } + else if (!defsrv && !strcmp(args[cur_arg], "check-send-proxy")) { + newsrv->check.send_proxy = 1; + cur_arg ++; + } else if (!strcmp(args[cur_arg], "weight")) { int w; w = atol(args[cur_arg + 1]); @@ -4566,8 +4570,10 @@ stats_error_parsing: * same as for the production traffic. Otherwise we use raw_sock by * default, unless one is specified. */ - if (!newsrv->check.port && !is_addr(&newsrv->check.addr)) + if (!newsrv->check.port && !is_addr(&newsrv->check.addr)) { newsrv->check.use_ssl |= newsrv->use_ssl; + newsrv->check.send_proxy |= (newsrv->state & SRV_SEND_PROXY); + } /* try to get the port from check.addr if check.port not set */ if (!newsrv->check.port) diff --git a/src/checks.c b/src/checks.c index 52f70d2468..7895e5d4cc 100644 --- a/src/checks.c +++ b/src/checks.c @@ -1331,6 +1331,8 @@ static struct task *process_chk(struct task *t) */ ret = s->check.proto->connect(conn, 1); conn->flags |= CO_FL_WAKE_DATA; + if (s->check.send_proxy) + conn->flags |= CO_FL_LOCAL_SPROXY; switch (ret) { case SN_ERR_NONE: