MEDIUM: config: add support for the 'ssl' option on 'server' lines

This option currently takes no option and simply turns SSL on for all
connections going to the server. It is likely that more options will
be needed in the future.

diff --git a/include/types/server.h b/include/types/server.h
index b009e1bad47adb09b273f25663d18392060696f6..21366a90a158c001b034341f6521ce2b27661192 100644 (file)
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -169,6 +169,7 @@ struct server {
        int check_data_len;                     /* length of partial check results stored in check_data */
 
 #ifdef USE_OPENSSL
+       int use_ssl;                            /* ssl enabled */
        struct {
                SSL_CTX *ctx;
                SSL_SESSION *reused_sess;

diff --git a/src/cfgparse.c b/src/cfgparse.c
index d8b7e6dbe382f2d2bae393220fab391b4a1586af..06559e6b62596b49cc904a83d275e2d882e2bd08 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4144,6 +4144,9 @@ stats_error_parsing:
                        newsrv->onerror         = curproxy->defsrv.onerror;
                        newsrv->consecutive_errors_limit
                                                = curproxy->defsrv.consecutive_errors_limit;
+#ifdef OPENSSL
+                       newsrv->use_ssl         = curproxy->defsrv.use_ssl;
+#endif
                        newsrv->uweight = newsrv->iweight
                                                = curproxy->defsrv.iweight;
 
@@ -4380,6 +4383,17 @@ stats_error_parsing:
                                newsrv->health = 0;
                                cur_arg += 1;
                        }
+                       else if (!strcmp(args[cur_arg], "ssl")) {
+#ifdef USE_OPENSSL
+                               newsrv->use_ssl = 1;
+                               cur_arg += 1;
+#else /* USE_OPENSSL */
+                               Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+                                     file, linenum, args[cur_arg]);
+                               err_code |= ERR_ALERT | ERR_FATAL;
+                               goto out;
+#endif /* USE_OPENSSL */
+                       }
                        else if (!defsrv && !strcmp(args[cur_arg], "observe")) {
                                if (!strcmp(args[cur_arg + 1], "none"))
                                        newsrv->observe = HANA_OBS_NONE;
@@ -6340,6 +6354,45 @@ out_uri_auth_compat:
                                newsrv->minconn = newsrv->maxconn;
                        }
 
+#ifdef USE_OPENSSL
+#ifndef SSL_OP_NO_COMPRESSION     /* needs OpenSSL >= 0.9.9 */
+#define SSL_OP_NO_COMPRESSION 0
+#endif
+#ifndef SSL_MODE_RELEASE_BUFFERS  /* needs OpenSSL >= 1.0.0 */
+#define SSL_MODE_RELEASE_BUFFERS 0
+#endif
+#ifndef SSL_OP_NO_COMPRESSION     /* needs OpenSSL >= 0.9.9 */
+#define SSL_OP_NO_COMPRESSION 0
+#endif
+                       if (newsrv->use_ssl) {
+                               int ssloptions =
+                                       SSL_OP_ALL | /* all known workarounds for bugs */
+                                       SSL_OP_NO_SSLv2 |
+                                       SSL_OP_NO_COMPRESSION;
+                               int sslmode =
+                                       SSL_MODE_ENABLE_PARTIAL_WRITE |
+                                       SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
+                                       SSL_MODE_RELEASE_BUFFERS;
+
+                               /* Initiate SSL context for current server */
+                               newsrv->ssl_ctx.reused_sess = NULL;
+                               newsrv->data = &ssl_sock;
+                               newsrv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
+                               if(!newsrv->ssl_ctx.ctx) {
+
+                                       Alert("config : %s '%s', server '%s': unable to allocate ssl context.\n",
+                                               proxy_type_str(curproxy), curproxy->id,
+                                               newsrv->id);
+                                               cfgerr++;
+                                               goto next_srv;
+                               }
+
+                               SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
+                               SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
+                               SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);
+                               SSL_CTX_set_session_cache_mode(newsrv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
+                       }
+#endif /* USE_OPENSSL */
                        if (newsrv->trackit) {
                                struct proxy *px;
                                struct server *srv;