MINOR: server: reject QUIC servers without explicit SSL

Report an error during server configuration if QUIC is used by SSL is
not activiated via 'ssl' keyword. This is done in _srv_parse_finalize(),
which is both used by static and dynamic servers.

Note that contrary to listeners, an error is reported instead of a
warning, and SSL is not automatically activated if missing. This is
mainly due to the complex server configuration : _srv_parse_finalize()
is ideal to affect every servers, including dynamic entries. However, it
is executed after server SSL context allocation performed via
<prepare_srv> XPRT operation. A proper fix would be to move SSL ctx
alloc in _srv_parse_finalize(), but this may have unknown impact. Thus,
for now a simpler solution has been chosen.

diff --git a/src/server.c b/src/server.c
index 39d798ec4e58b2e82fd78b1db92df3e82efa51eb..45b079e9df053ad5a757d69b8146f0dd1e611cbb 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -3836,6 +3836,15 @@ static int _srv_parse_finalize(char **args, int cur_arg,
                }
        }
 
+#ifdef USE_QUIC
+       if (srv_is_quic(srv)) {
+               if (!srv->use_ssl) {
+                       ha_alert("QUIC protocol detected without explicit SSL requirement. Use 'ssl' to fix this.\n");
+                       return ERR_ALERT | ERR_FATAL;
+               }
+       }
+#endif
+
        srv_lb_commit_status(srv);
 
        return 0;