MINOR: global: generate random cluster.secret if not defined

If no cluster-secret is defined by the user, a random one is silently
generated.

This ensures that at least QUIC Retry tokens are generated if abnormal
conditions are detected. However, it is advisable to specify it in the
configuration for tokens to be valid even after a reload or across LBs
instances in the same cluster.

This should be backported up to 2.6.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 46f49bf5c700798cc31381397261bc13547d375d..c3d4ea5ccd85f8c9e8cbc4682e37c8eb9f64d2d5 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1239,8 +1239,11 @@ cluster-secret <secret>
   same cluster. It could be used for different usages. It is at least used to
   derive stateless reset tokens for all the QUIC connections instantiated by
   this process. This is also the case to derive secrets used to encrypt Retry
-  tokens. If you do not set this parameter, the stateless reset and Retry QUIC
-  features will be both silently disabled.
+  tokens.
+
+  If this parameter is not set, a random value will be selected on process
+  startup. This allows to use features which rely on it, albeit with some
+  limitations.
 
 cpu-map [auto:]<thread-group>[/<thread-set>] <cpu-set>...
   On some operating systems, it is possible to bind a thread group or a thread

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 5a5744c21c6942a831a5e6efcdd9ce4b9510c5b3..2410cee758eaabcc703ed603bb95ed5581c58d57 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4375,9 +4375,11 @@ init_proxies_list_stage2:
                        goto init_proxies_list_stage2;
        }
 
-       if (diag_no_cluster_secret)
-               ha_diag_warning("No cluster secret was set. The stateless reset and Retry"
-                               " features are disabled for all QUIC bindings.\n");
+       if (diag_no_cluster_secret) {
+               ha_diag_warning("Generating a random cluster secret. "
+                               "You should define your own one in the configuration to ensure consistency "
+                               "after reload/restart or across your whole cluster.\n");
+       }
 
        /*
         * Recount currently required checks.

diff --git a/src/haproxy.c b/src/haproxy.c
index a4916cfa553c6c899f18c5c00bb7cd55e2443e89..50850e9e38b8747d6ff618600aeb8e199d5f94ea 100644 (file)
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1895,6 +1895,26 @@ static void dump_registered_keywords(void)
        }
 }
 
+/* Generate a random cluster-secret in case the setting is not provided in the
+ * configuration. This allows to use features which rely on it albeit with some
+ * limitations.
+ */
+static void generate_random_cluster_secret()
+{
+       /* used as a default random cluster-secret if none defined. */
+       uint64_t rand = ha_random64();
+
+       /* The caller must not overwrite an already defined secret. */
+       BUG_ON(global.cluster_secret);
+
+       global.cluster_secret = malloc(8);
+       if (!global.cluster_secret)
+               return;
+
+       memcpy(global.cluster_secret, &rand, sizeof(rand));
+       global.cluster_secret[7] = '\0';
+}
+
 /*
  * This function initializes all the necessary variables. It only returns
  * if everything is OK. If something fails, it exits.
@@ -2562,6 +2582,9 @@ static void init(int argc, char **argv)
                exit(1);
        }
 
+       if (!global.cluster_secret)
+               generate_random_cluster_secret();
+
        /*
         * Note: we could register external pollers here.
         * Built-in pollers have been registered before main().