]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bd6ec1b)
MINOR: peers: Add a warning about incompatible SSL config for the local peer
authorChristopher Faulet <cfaulet@haproxy.com>
Tue, 26 Jul 2022 17:03:51 +0000 (19:03 +0200)
committerChristopher Faulet <cfaulet@haproxy.com>
Wed, 3 Aug 2022 07:56:38 +0000 (09:56 +0200)
In peers section, it is possible to enable SSL for the local peer. In this
case, the bind line and the server line should both be configured. A
"default-server" directive may also be used to configure the SSL on the
server side. However there is no test to be sure the SSL is enabled on both
sides. It is an problem because the local resync performed during a reload
will be impossible and it is probably not the expected behavior.

So, it is now checked during the configuration validation. A warning message
is displayed if the SSL is not properly configured for the local peer.

This patch is related to issue #1799. It should probably be backported to 2.6.

src/cfgparse.c patch | blob | blame | history

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 0edfad09578abd71015f82b1b8d148177f4b5203..1a8926fd183d998c2db3ee5326529b5204e44190 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4097,6 +4097,17 @@ out_uri_auth_compat:
                                        l = &curpeers->peers_fe->conf.bind;
                                        bind_conf = LIST_ELEM(l->n, typeof(bind_conf), by_fe);
 
+                                       if (curpeers->local->srv) {
+                                               if (curpeers->local->srv->use_ssl == 1 && !(bind_conf->options & BC_O_USE_SSL)) {
+                                                       ha_warning("Peers section '%s': local peer have a non-SSL listener and a SSL server configured at line %s:%d.\n",
+                                                                  curpeers->peers_fe->id, curpeers->local->conf.file, curpeers->local->conf.line);
+                                               }
+                                               else if (curpeers->local->srv->use_ssl != 1 && (bind_conf->options & BC_O_USE_SSL)) {
+                                                       ha_warning("Peers section '%s': local peer have a SSL listener and a non-SSL server configured at line %s:%d.\n",
+                                                                  curpeers->peers_fe->id, curpeers->local->conf.file, curpeers->local->conf.line);
+                                               }
+                                       }
+
                                        err = NULL;
                                        if (thread_resolve_group_mask(bind_conf->bind_tgroup, bind_conf->bind_thread,
                                                                      &bind_conf->bind_tgroup, &bind_conf->bind_thread, &err) < 0) {
Mirror of https://github.com/haproxy/haproxy.git