From: Vsevolod Stakhov Date: Mon, 9 Feb 2026 14:34:47 +0000 (+0000) Subject: [Feature] Auto-detect SSL from bind sockets, remove ssl = true option X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4674408f698321b5c2667f42907acc3640c65734;p=thirdparty%2Frspamd.git [Feature] Auto-detect SSL from bind sockets, remove ssl = true option Instead of requiring a separate `ssl = true` worker option, automatically detect SSL need by checking if any bind socket has the ssl flag. Emit an error if SSL bind sockets are configured but ssl_cert/ssl_key are missing. --- diff --git a/src/controller.c b/src/controller.c index 73a83d1f36..a74e783aae 100644 --- a/src/controller.c +++ b/src/controller.c @@ -140,8 +140,6 @@ struct rspamd_controller_worker_ctx { struct rspamd_config *cfg; /* END OF COMMON PART */ ev_tstamp timeout; - /* Whether we use ssl for this server */ - gboolean use_ssl; /* Webui password */ char *password; /* Privileged password */ @@ -3721,15 +3719,6 @@ init_controller_worker(struct rspamd_config *cfg) 0, "Password for read and write commands"); - rspamd_rcl_register_worker_option(cfg, - type, - "ssl", - rspamd_rcl_parse_struct_boolean, - ctx, - G_STRUCT_OFFSET(struct rspamd_controller_worker_ctx, use_ssl), - 0, - "Enable SSL for this worker"); - rspamd_rcl_register_worker_option(cfg, type, "ssl_cert", @@ -4119,16 +4108,21 @@ start_controller_worker(struct rspamd_worker *worker) rspamd_controller_finish_handler, ctx->timeout, ctx->static_files_dir, ctx->http_ctx); - if (ctx->use_ssl && ctx->ssl_cert && ctx->ssl_key) { - gpointer server_ssl_ctx = rspamd_init_ssl_ctx_server(ctx->ssl_cert, ctx->ssl_key); + if (rspamd_worker_has_ssl_socket(worker)) { + if (ctx->ssl_cert && ctx->ssl_key) { + gpointer server_ssl_ctx = rspamd_init_ssl_ctx_server(ctx->ssl_cert, ctx->ssl_key); - if (server_ssl_ctx) { - rspamd_ssl_ctx_config(ctx->cfg, server_ssl_ctx); - rspamd_http_router_set_ssl(ctx->http, server_ssl_ctx); - msg_info_ctx("enabled SSL for controller worker"); + if (server_ssl_ctx) { + rspamd_ssl_ctx_config(ctx->cfg, server_ssl_ctx); + rspamd_http_router_set_ssl(ctx->http, server_ssl_ctx); + msg_info_ctx("enabled SSL for controller worker"); + } + else { + msg_err_ctx("failed to create SSL context for controller worker"); + } } else { - msg_err_ctx("failed to create SSL context for controller worker"); + msg_err_ctx("ssl bind socket configured but ssl_cert or ssl_key is missing"); } } diff --git a/src/libserver/worker_util.c b/src/libserver/worker_util.c index c28ce36661..35700fb325 100644 --- a/src/libserver/worker_util.c +++ b/src/libserver/worker_util.c @@ -2914,3 +2914,22 @@ rspamd_worker_is_ssl_socket(struct rspamd_worker *worker, int fd) return FALSE; } + +gboolean +rspamd_worker_has_ssl_socket(struct rspamd_worker *worker) +{ + struct rspamd_worker_bind_conf *bcf; + + if (worker == NULL || worker->cf == NULL) { + return FALSE; + } + + LL_FOREACH(worker->cf->bind_conf, bcf) + { + if (bcf->is_ssl) { + return TRUE; + } + } + + return FALSE; +} diff --git a/src/libserver/worker_util.h b/src/libserver/worker_util.h index 1089c0a9cf..359351807f 100644 --- a/src/libserver/worker_util.h +++ b/src/libserver/worker_util.h @@ -391,6 +391,13 @@ rspamd_fstring_t *rspamd_metrics_to_prometheus_string(const ucl_object_t *top); */ gboolean rspamd_worker_is_ssl_socket(struct rspamd_worker *worker, int fd); +/** + * Check if any bind socket for this worker has SSL enabled + * @param worker + * @return TRUE if any socket is SSL + */ +gboolean rspamd_worker_has_ssl_socket(struct rspamd_worker *worker); + #ifdef WITH_HYPERSCAN struct rspamd_control_command; diff --git a/src/rspamd_proxy.c b/src/rspamd_proxy.c index 0f61124334..abf482f6b1 100644 --- a/src/rspamd_proxy.c +++ b/src/rspamd_proxy.c @@ -181,8 +181,6 @@ struct rspamd_proxy_ctx { /* Default log tag type for worker */ enum rspamd_proxy_log_tag_type log_tag_type; struct rspamd_main *srv; - /* Whether we use ssl for this server */ - gboolean use_ssl; /* SSL cert */ char *ssl_cert; /* SSL private key */ @@ -1065,14 +1063,6 @@ init_rspamd_proxy(struct rspamd_config *cfg) G_STRUCT_OFFSET(struct rspamd_proxy_ctx, encrypted_only), 0, "Allow only encrypted connections"); - rspamd_rcl_register_worker_option(cfg, - type, - "ssl", - rspamd_rcl_parse_struct_boolean, - ctx, - G_STRUCT_OFFSET(struct rspamd_proxy_ctx, use_ssl), - 0, - "Enable SSL for this worker"); rspamd_rcl_register_worker_option(cfg, type, "ssl_cert", @@ -3416,15 +3406,20 @@ start_rspamd_proxy(struct rspamd_worker *worker) (rspamd_mempool_destruct_t) rspamd_http_context_free, ctx->http_ctx); - if (ctx->use_ssl && ctx->ssl_cert && ctx->ssl_key) { - ctx->server_ssl_ctx = rspamd_init_ssl_ctx_server(ctx->ssl_cert, ctx->ssl_key); + if (rspamd_worker_has_ssl_socket(worker)) { + if (ctx->ssl_cert && ctx->ssl_key) { + ctx->server_ssl_ctx = rspamd_init_ssl_ctx_server(ctx->ssl_cert, ctx->ssl_key); - if (ctx->server_ssl_ctx) { - rspamd_ssl_ctx_config(ctx->cfg, ctx->server_ssl_ctx); - msg_info("enabled SSL for proxy worker"); + if (ctx->server_ssl_ctx) { + rspamd_ssl_ctx_config(ctx->cfg, ctx->server_ssl_ctx); + msg_info("enabled SSL for proxy worker"); + } + else { + msg_err("failed to create SSL context for proxy worker"); + } } else { - msg_err("failed to create SSL context for proxy worker"); + msg_err("ssl bind socket configured but ssl_cert or ssl_key is missing"); } } diff --git a/src/worker.c b/src/worker.c index 6dc9dd9741..3d7fd0ba51 100644 --- a/src/worker.c +++ b/src/worker.c @@ -487,15 +487,6 @@ init_worker(struct rspamd_config *cfg) 0, "Encryption keypair"); - rspamd_rcl_register_worker_option(cfg, - type, - "ssl", - rspamd_rcl_parse_struct_boolean, - ctx, - G_STRUCT_OFFSET(struct rspamd_worker_ctx, use_ssl), - 0, - "Enable SSL for this worker"); - rspamd_rcl_register_worker_option(cfg, type, "ssl_cert", @@ -547,15 +538,20 @@ start_worker(struct rspamd_worker *worker) (rspamd_mempool_destruct_t) rspamd_http_context_free, ctx->http_ctx); - if (ctx->use_ssl && ctx->ssl_cert && ctx->ssl_key) { - ctx->server_ssl_ctx = rspamd_init_ssl_ctx_server(ctx->ssl_cert, ctx->ssl_key); + if (rspamd_worker_has_ssl_socket(worker)) { + if (ctx->ssl_cert && ctx->ssl_key) { + ctx->server_ssl_ctx = rspamd_init_ssl_ctx_server(ctx->ssl_cert, ctx->ssl_key); - if (ctx->server_ssl_ctx) { - rspamd_ssl_ctx_config(ctx->cfg, ctx->server_ssl_ctx); - msg_info_ctx("enabled SSL for normal worker"); + if (ctx->server_ssl_ctx) { + rspamd_ssl_ctx_config(ctx->cfg, ctx->server_ssl_ctx); + msg_info_ctx("enabled SSL for normal worker"); + } + else { + msg_err_ctx("failed to create SSL context for normal worker"); + } } else { - msg_err_ctx("failed to create SSL context for normal worker"); + msg_err_ctx("ssl bind socket configured but ssl_cert or ssl_key is missing"); } } diff --git a/src/worker_private.h b/src/worker_private.h index 19f6cd7b31..b71d3b7333 100644 --- a/src/worker_private.h +++ b/src/worker_private.h @@ -45,8 +45,6 @@ struct rspamd_worker_ctx { gboolean is_mime; /* Allow encrypted requests only using network */ gboolean encrypted_only; - /* Whether we use ssl for this server */ - gboolean use_ssl; /* Limit of tasks */ uint32_t max_tasks; /* Maximum time for task processing */