From: Amaury Denoyelle Date: Thu, 15 Oct 2020 14:41:09 +0000 (+0200) Subject: MEDIUM: backend: reuse connection if using a static sni X-Git-Tag: v2.3-dev7~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7239c2498602415c1a85c4326cac8ee8330d9515;p=thirdparty%2Fhaproxy.git MEDIUM: backend: reuse connection if using a static sni Detect if the sni used a constant value and if so, allow to reuse this connection for later sessions. Use a combination of SMP_USE_INTRN + !SMP_F_VOLATILE to consider a sample as a constant value. This features has been requested on github issue #371. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 6a90bfadbf..678d2ee267 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -6646,8 +6646,9 @@ http-reuse { never | safe | aggressive | always } - connections made with "usesrc" followed by a client-dependent value ("client", "clientip", "hdr_ip") are marked private and never shared; - - connections sent to a server with a TLS SNI extension are marked private - and are never shared; + - connections sent to a server with a variable value as TLS SNI extension + are marked private and are never shared. This is not the case if the SNI + is guaranteed to be a constant, as for example using a literal string; - connections with certain bogus authentication schemes (relying on the connection) like NTLM are detected, marked private and are never shared; diff --git a/src/backend.c b/src/backend.c index 789becee25..ba642d9582 100644 --- a/src/backend.c +++ b/src/backend.c @@ -1521,7 +1521,10 @@ int connect_server(struct stream *s) srv->ssl_ctx.sni, SMP_T_STR); if (smp_make_safe(smp)) { ssl_sock_set_servername(srv_conn, smp->data.u.str.area); - conn_set_private(srv_conn); + if (!(srv->ssl_ctx.sni->fetch->use & SMP_USE_INTRN) || + smp->flags & SMP_F_VOLATILE) { + conn_set_private(srv_conn); + } } } #endif /* USE_OPENSSL */