From: Amaury Denoyelle Date: Wed, 19 May 2021 07:49:41 +0000 (+0200) Subject: MINOR: ssl: support ssl keyword for dynamic servers X-Git-Tag: v2.5-dev1~68 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34897d2eff6a2f11a6586bd05e6ea7c90b77542a;p=thirdparty%2Fhaproxy.git MINOR: ssl: support ssl keyword for dynamic servers Activate the 'ssl' keyword for dynamic servers. This is the final step to have ssl dynamic servers feature implemented. If activated, ssl_sock_prepare_srv_ctx will be called at the end of the 'add server' CLI handler. At the same time, update the management doc to list all ssl keywords implemented for dynamic servers. --- diff --git a/doc/management.txt b/doc/management.txt index 932981bfc2..7abfc85fb2 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1472,13 +1472,25 @@ add server / [args]* Here is the list of the currently supported keywords : + - allow-0rtt + - alpn - backup + - ca-file + - ciphers + - ciphersuites + - crl-file + - crt - disabled - enabled + - force-sslv3/tlsv10/tlsv11/tlsv12/tlsv13 - id - maxconn - maxqueue - minconn + - no-ssl-reuse + - no-sslv3/tlsv10/tlsv11/tlsv12/tlsv13 + - no-tls-tickets + - npn - pool-low-conn - pool-max-conn - pool-purge-delay @@ -1486,9 +1498,18 @@ add server / [args]* - proxy-v2-options - send-proxy - send-proxy-v2 + - send-proxy-v2-ssl + - send-proxy-v2-ssl-cn + - sni - source + - ssl + - ssl-max-ver + - ssl-min-ver - tfo + - tls-tickets - usesrc + - verify + - verifyhost - weight Their syntax is similar to the server line from the configuration file, diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 7aa8efa0fb..6df5911ebd 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -1911,7 +1911,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1, 1 }, /* send PROXY protocol header v2 with SSL info */ { "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1, 1 }, /* send PROXY protocol header v2 with CN */ { "sni", srv_parse_sni, 1, 1, 1 }, /* send SNI extension */ - { "ssl", srv_parse_ssl, 0, 1, 0 }, /* enable SSL processing */ + { "ssl", srv_parse_ssl, 0, 1, 1 }, /* enable SSL processing */ { "ssl-min-ver", srv_parse_tls_method_minmax, 1, 1, 1 }, /* minimum version */ { "ssl-max-ver", srv_parse_tls_method_minmax, 1, 1, 1 }, /* maximum version */ { "ssl-reuse", srv_parse_ssl_reuse, 0, 1, 0 }, /* enable session reuse */ diff --git a/src/server.c b/src/server.c index 4a4c3c8436..96390e86d2 100644 --- a/src/server.c +++ b/src/server.c @@ -4491,6 +4491,13 @@ static int cli_parse_add_server(char **args, char *payload, struct appctx *appct goto out; } + if (srv->use_ssl == 1) { + if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv) { + if (xprt_get(XPRT_SSL)->prepare_srv(srv)) + goto out; + } + } + /* Attach the server to the end of the proxy linked list. Note that this * operation is not thread-safe so this is executed under thread * isolation.