From: William Lallemand <wlallemand@haproxy.org>
Date: Wed, 16 Mar 2022 14:47:47 +0000 (+0100)
Subject: BUG/MINOR: httpclient: send the SNI using the host header
X-Git-Tag: v2.6-dev4~65
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71e3158;p=thirdparty%2Fhaproxy.git

BUG/MINOR: httpclient: send the SNI using the host header

Generate an SNI expression which uses the Host header of the request.
This is mandatory for most of the SSL servers nowadays.

Must be backported in 2.5 with the previous patch which export
server_parse_sni_expr().
---

diff --git a/src/http_client.c b/src/http_client.c
index f849fea3a6..30656e0362 100644
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -1061,6 +1061,8 @@ static int httpclient_cfg_postparser()
 {
 	struct logsrv *logsrv;
 	struct proxy *curproxy = httpclient_proxy;
+	int err_code = 0;
+	char *errmsg = NULL;
 
 	/* copy logs from "global" log list */
 	list_for_each_entry(logsrv, &global.logsrvs, list) {
@@ -1089,6 +1091,19 @@ static int httpclient_cfg_postparser()
 		curproxy->conf.args.file = NULL;
 		curproxy->conf.args.line = 0;
 	}
+
+#ifdef USE_OPENSSL
+	/* init the SNI expression */
+	/* always use the host header as SNI, without the port */
+	httpclient_srv_ssl->sni_expr = strdup("req.hdr(host),field(1,:)");
+	err_code |= server_parse_sni_expr(httpclient_srv_ssl, httpclient_proxy, &errmsg);
+	if (err_code & ERR_CODE) {
+		ha_alert("httpclient: failed to configure sni: %s.\n", errmsg);
+		free(errmsg);
+		goto err;
+	}
+#endif
+
 	return 0;
 err:
 	return 1;