* Process management and security
- ca-base
- chroot
+ - cluster-secret
- crt-base
- cpu-map
- daemon
with superuser privileges. It is important to ensure that <jail_dir> is both
empty and non-writable to anyone.
+cluster-secret <secret>
+ Define an ASCII string secret shared between several nodes belonging to the
+ same cluster. It could be used for different usages. It is at least used to
+ derive stateless reset tokens for all the QUIC connections instantiated by
+ this process. If you do not set this parameter, the stateless reset QUIC
+ feature will be silently disabled.
+
close-spread-time <time>
Define a time window during which idle connections and active connections
closing is spread in case of soft-stop. After a SIGUSR1 is received and the
char *log_send_hostname; /* set hostname in syslog header */
char *server_state_base; /* path to a directory where server state files can be found */
char *server_state_file; /* path to the file where server states are loaded from */
+ char *cluster_secret; /* Secret defined as ASCII string */
struct {
int maxpollevents; /* max number of poll events at once */
int maxaccept; /* max number of consecutive accept() */
"log-tag", "spread-checks", "max-spread-checks", "cpu-map", "setenv",
"presetenv", "unsetenv", "resetenv", "strict-limits", "localpeer",
"numa-cpu-mapping", "defaults", "listen", "frontend", "backend",
- "peers", "resolvers",
+ "peers", "resolvers", "cluster-secret",
NULL /* must be last */
};
goto out;
}
}
+ else if (strcmp(args[0], "cluster-secret") == 0) {
+ if (alertif_too_many_args(1, file, linenum, args, &err_code))
+ goto out;
+ if (*args[1] == 0) {
+ ha_alert("parsing [%s:%d] : expects an ASCII string argument.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ if (global.cluster_secret != NULL) {
+ ha_alert("parsing [%s:%d] : '%s' already specified. Continuing.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT;
+ goto out;
+ }
+ ha_free(&global.cluster_secret);
+ global.cluster_secret = strdup(args[1]);
+ }
else if (strcmp(args[0], "uid") == 0) {
if (alertif_too_many_args(1, file, linenum, args, &err_code))
goto out;
struct cfg_postparser *postparser;
struct resolvers *curr_resolvers = NULL;
int i;
+ int diag_no_cluster_secret = 0;
bind_conf = NULL;
/*
#ifdef USE_QUIC
/* override the accept callback for QUIC listeners. */
if (listener->flags & LI_F_QUIC_LISTENER) {
+ if (!global.cluster_secret)
+ diag_no_cluster_secret = 1;
listener->accept = quic_session_accept;
li_init_per_thr(listener);
}
}
}
+ if (diag_no_cluster_secret)
+ ha_diag_warning("No cluster secret was set. The stateless reset feature"
+ " is disabled for all QUIC bindings.\n");
+
/*
* Recount currently required checks.
*/
ha_free(&global.log_send_hostname);
chunk_destroy(&global.log_tag);
ha_free(&global.chroot);
+ ha_free(&global.cluster_secret);
ha_free(&global.pidfile);
ha_free(&global.node);
ha_free(&global.desc);
projects / thirdparty / haproxy.git / commitdiff
