From: Amaury Denoyelle Date: Wed, 9 Mar 2022 13:20:10 +0000 (+0100) Subject: MEDIUM: check: do not auto configure SSL/PROXY for dynamic servers X-Git-Tag: v2.6-dev3~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d098bea2b63e8450227cff2e44c08796de7c9a6;p=thirdparty%2Fhaproxy.git MEDIUM: check: do not auto configure SSL/PROXY for dynamic servers For server checks, SSL and PROXY is automatically inherited from the server settings if no specific check port is specified. Change this behavior for dynamic servers : explicit "check-ssl"/"check-send-proxy" are required for them. Without this change, it is impossible to add a dynamic server with SSL/PROXY settings and checks without, if the check port is not explicit. This is because "no-check-ssl"/"no-check-send-proxy" keywords are not available for dynamic servers. This change respects the principle that dynamic servers on the CLI should not reuse the same shortcuts used during the config file parsing. Mostly because we expect this feature to be manipulated by automated tools, contrary to the config file which should aim to be the shortest possible for human readability. Update the documentation of the "check" keyword to reflect this change. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 583df47733..e1ae117b00 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -14435,7 +14435,8 @@ check transport layer. This means TCP by default, or SSL/TLS when "ssl" or "check-ssl" are set, both possibly combined with connection prefixes such as a PROXY protocol header when "send-proxy" or "check-send-proxy" are - set. + set. This behavior is slightly different for dynamic servers, read the + following paragraphs for more details. - when set and an application-level health check is defined, the application-level exchanges are performed on top of the configured transport layer and the server is considered available if all of the @@ -14449,6 +14450,11 @@ check parameters are not reused. One must explicitly set "check-send-proxy" to send connection headers, "check-ssl" to use SSL/TLS. + Note that the implicit configuration of ssl and PROXY protocol is not + performed for dynamic servers. In this case, it is required to explicitely + use "check-ssl" and "check-send-proxy" when wanted, even if the check port is + not overridden. + When "sni" or "alpn" are set on the server line, their value is not used for health checks and one must use "check-sni" or "check-alpn". diff --git a/src/check.c b/src/check.c index 413ef3fdae..da2deab37c 100644 --- a/src/check.c +++ b/src/check.c @@ -1566,22 +1566,33 @@ int init_srv_check(struct server *srv) check_type = srv->check.tcpcheck_rules->flags & TCPCHK_RULES_PROTO_CHK; - /* If neither a port nor an addr was specified and no check transport - * layer is forced, then the transport layer used by the checks is the - * same as for the production traffic. Otherwise we use raw_sock by - * default, unless one is specified. - */ - if (!srv->check.port && !is_addr(&srv->check.addr)) { - if (!srv->check.use_ssl && srv->use_ssl != -1) { - srv->check.use_ssl = srv->use_ssl; - srv->check.xprt = srv->xprt; + if (!(srv->flags & SRV_F_DYNAMIC)) { + /* If neither a port nor an addr was specified and no check + * transport layer is forced, then the transport layer used by + * the checks is the same as for the production traffic. + * Otherwise we use raw_sock by default, unless one is + * specified. + */ + if (!srv->check.port && !is_addr(&srv->check.addr)) { + if (!srv->check.use_ssl && srv->use_ssl != -1) { + srv->check.use_ssl = srv->use_ssl; + srv->check.xprt = srv->xprt; + } + else if (srv->check.use_ssl == 1) + srv->check.xprt = xprt_get(XPRT_SSL); + srv->check.send_proxy |= (srv->pp_opts); } else if (srv->check.use_ssl == 1) srv->check.xprt = xprt_get(XPRT_SSL); - srv->check.send_proxy |= (srv->pp_opts); } - else if (srv->check.use_ssl == 1) - srv->check.xprt = xprt_get(XPRT_SSL); + else { + /* For dynamic servers, check-ssl and check-send-proxy must be + * explicitely defined even if the check port was not + * overridden. + */ + if (srv->check.use_ssl == 1) + srv->check.xprt = xprt_get(XPRT_SSL); + } /* Inherit the mux protocol from the server if not already defined for * the check