From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 28 May 2021 08:34:01 +0000 (+0200)
Subject: REORG: config: use parsing ctx for server config check
X-Git-Tag: v2.5-dev1~190
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e74cbc3227908b69fadf95c6a876a85ff71cb192;p=thirdparty%2Fhaproxy.git

REORG: config: use parsing ctx for server config check

Initialize the parsing context when checking server config validity.
Adjust the log messages to remove redundant config file/line and server
name. Do a similar cleaning in prepare_srv from ssl_sock as this
function is called at the same stage.

This will standardize the stderr output on startup with the parse_server
function.
---

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 4b03b63834..b1274cdb80 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -3523,6 +3523,8 @@ out_uri_auth_compat:
 		 */
 		newsrv = curproxy->srv;
 		while (newsrv != NULL) {
+			set_usermsgs_ctx(newsrv->conf.file, newsrv->conf.line, &newsrv->obj_type);
+
 			if (newsrv->minconn > newsrv->maxconn) {
 				/* Only 'minconn' was specified, or it was higher than or equal
 				 * to 'maxconn'. Let's turn this into maxconn and clean it, as
@@ -3548,10 +3550,7 @@ out_uri_auth_compat:
 			if ((newsrv->flags & SRV_F_FASTOPEN) &&
 			    ((curproxy->retry_type & (PR_RE_DISCONNECTED | PR_RE_TIMEOUT)) !=
 			     (PR_RE_DISCONNECTED | PR_RE_TIMEOUT)))
-				ha_warning("parsing [%s:%d] : %s '%s': server '%s' has tfo activated, the backend should be configured with at least 'conn-failure', 'empty-response' and 'response-timeout' or we wouldn't be able to retry the connection on failure.\n",
-				    newsrv->conf.file, newsrv->conf.line,
-				    proxy_type_str(curproxy), curproxy->id,
-				    newsrv->id);
+				ha_warning("server has tfo activated, the backend should be configured with at least 'conn-failure', 'empty-response' and 'response-timeout' or we wouldn't be able to retry the connection on failure.\n");
 
 			if (newsrv->trackit) {
 				struct proxy *px;
@@ -3571,9 +3570,8 @@ out_uri_auth_compat:
 				if (pname) {
 					px = proxy_be_by_name(pname);
 					if (!px) {
-						ha_alert("config : %s '%s', server '%s': unable to find required proxy '%s' for tracking.\n",
-							 proxy_type_str(curproxy), curproxy->id,
-							 newsrv->id, pname);
+						ha_alert("unable to find required proxy '%s' for tracking.\n",
+						         pname);
 						cfgerr++;
 						goto next_srv;
 					}
@@ -3582,18 +3580,16 @@ out_uri_auth_compat:
 
 				srv = findserver(px, sname);
 				if (!srv) {
-					ha_alert("config : %s '%s', server '%s': unable to find required server '%s' for tracking.\n",
-						 proxy_type_str(curproxy), curproxy->id,
-						 newsrv->id, sname);
+					ha_alert("unable to find required server '%s' for tracking.\n",
+						 sname);
 					cfgerr++;
 					goto next_srv;
 				}
 
 				if (!srv->do_check && !srv->do_agent && !srv->track && !srv->trackit) {
-					ha_alert("config : %s '%s', server '%s': unable to use %s/%s for "
+					ha_alert("unable to use %s/%s for "
 						 "tracking as it does not have any check nor agent enabled.\n",
-						 proxy_type_str(curproxy), curproxy->id,
-						 newsrv->id, px->id, srv->id);
+						 px->id, srv->id);
 					cfgerr++;
 					goto next_srv;
 				}
@@ -3601,10 +3597,9 @@ out_uri_auth_compat:
 				for (loop = srv->track; loop && loop != newsrv; loop = loop->track);
 
 				if (newsrv == srv || loop) {
-					ha_alert("config : %s '%s', server '%s': unable to track %s/%s as it "
+					ha_alert("unable to track %s/%s as it "
 						 "belongs to a tracking chain looping back to %s/%s.\n",
-						 proxy_type_str(curproxy), curproxy->id,
-						 newsrv->id, px->id, srv->id, px->id,
+						 px->id, srv->id, px->id,
 						 newsrv == srv ? srv->id : loop->id);
 					cfgerr++;
 					goto next_srv;
@@ -3612,10 +3607,9 @@ out_uri_auth_compat:
 
 				if (curproxy != px &&
 					(curproxy->options & PR_O_DISABLE404) != (px->options & PR_O_DISABLE404)) {
-					ha_alert("config : %s '%s', server '%s': unable to use %s/%s for"
+					ha_alert("unable to use %s/%s for"
 						 "tracking: disable-on-404 option inconsistency.\n",
-						 proxy_type_str(curproxy), curproxy->id,
-						 newsrv->id, px->id, srv->id);
+						 px->id, srv->id);
 					cfgerr++;
 					goto next_srv;
 				}
@@ -3628,6 +3622,7 @@ out_uri_auth_compat:
 			}
 
 		next_srv:
+			reset_usermsgs_ctx();
 			newsrv = newsrv->next;
 		}
 
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 993772f1a0..6553584c8f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4619,7 +4619,6 @@ static int ssl_sock_srv_verifycbk(int ok, X509_STORE_CTX *ctx)
 /* prepare ssl context from servers options. Returns an error count */
 int ssl_sock_prepare_srv_ctx(struct server *srv)
 {
-	struct proxy *curproxy = srv->proxy;
 	int cfgerr = 0;
 	SSL_CTX *ctx = srv->ssl_ctx.ctx;
 
@@ -4635,9 +4634,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
 	/* Initiate SSL context for current server */
 	if (!srv->ssl_ctx.reused_sess) {
 		if ((srv->ssl_ctx.reused_sess = calloc(1, global.nbthread*sizeof(*srv->ssl_ctx.reused_sess))) == NULL) {
-			ha_alert("Proxy '%s', server '%s' [%s:%d] out of memory.\n",
-				 curproxy->id, srv->id,
-				 srv->conf.file, srv->conf.line);
+			ha_alert("out of memory.\n");
 			cfgerr++;
 			return cfgerr;
 		}
@@ -4650,9 +4647,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
 	if (!ctx) {
 		ctx = SSL_CTX_new(SSLv23_client_method());
 		if (!ctx) {
-			ha_alert("config : %s '%s', server '%s': unable to allocate ssl context.\n",
-				 proxy_type_str(curproxy), curproxy->id,
-				 srv->id);
+			ha_alert("unable to allocate ssl context.\n");
 			cfgerr++;
 			return cfgerr;
 		}
@@ -4687,9 +4682,8 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 	int flags = MC_SSL_O_ALL;
 
 	if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
-		ha_warning("config : %s '%s': no-sslv3/no-tlsv1x are ignored for server '%s'. "
-			   "Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n",
-			   proxy_type_str(curproxy), curproxy->id, srv->id);
+		ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
+			   "Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n");
 	else
 		flags = conf_ssl_methods->flags;
 
@@ -4770,21 +4764,16 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 		if (srv->ssl_ctx.ca_file) {
 			/* set CAfile to verify */
 			if (!ssl_set_verify_locations_file(ctx, srv->ssl_ctx.ca_file)) {
-				ha_alert("Proxy '%s', server '%s' [%s:%d] unable to set CA file '%s'.\n",
-					 curproxy->id, srv->id,
-					 srv->conf.file, srv->conf.line, srv->ssl_ctx.ca_file);
+				ha_alert("unable to set CA file '%s'.\n",
+					 srv->ssl_ctx.ca_file);
 				cfgerr++;
 			}
 		}
 		else {
 			if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
-				ha_alert("Proxy '%s', server '%s' [%s:%d] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.\n",
-					 curproxy->id, srv->id,
-					 srv->conf.file, srv->conf.line);
+				ha_alert("verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.\n");
 			else
-				ha_alert("Proxy '%s', server '%s' [%s:%d] verify is enabled but no CA file specified.\n",
-					 curproxy->id, srv->id,
-					 srv->conf.file, srv->conf.line);
+				ha_alert("verify is enabled but no CA file specified.\n");
 			cfgerr++;
 		}
 #ifdef X509_V_FLAG_CRL_CHECK
@@ -4792,9 +4781,8 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 			X509_STORE *store = SSL_CTX_get_cert_store(ctx);
 
 			if (!ssl_set_cert_crl_file(store, srv->ssl_ctx.crl_file)) {
-				ha_alert("Proxy '%s', server '%s' [%s:%d] unable to configure CRL file '%s'.\n",
-					 curproxy->id, srv->id,
-					 srv->conf.file, srv->conf.line, srv->ssl_ctx.crl_file);
+				ha_alert("unable to configure CRL file '%s'.\n",
+					 srv->ssl_ctx.crl_file);
 				cfgerr++;
 			}
 			else {
@@ -4808,18 +4796,16 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 	SSL_CTX_sess_set_new_cb(ctx, ssl_sess_new_srv_cb);
 	if (srv->ssl_ctx.ciphers &&
 		!SSL_CTX_set_cipher_list(ctx, srv->ssl_ctx.ciphers)) {
-		ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set SSL cipher list to '%s'.\n",
-			 curproxy->id, srv->id,
-			 srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphers);
+		ha_alert("unable to set SSL cipher list to '%s'.\n",
+			 srv->ssl_ctx.ciphers);
 		cfgerr++;
 	}
 
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	if (srv->ssl_ctx.ciphersuites &&
 		!SSL_CTX_set_ciphersuites(ctx, srv->ssl_ctx.ciphersuites)) {
-		ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
-			 curproxy->id, srv->id,
-			 srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphersuites);
+		ha_alert("unable to set TLS 1.3 cipher suites to '%s'.\n",
+			 srv->ssl_ctx.ciphersuites);
 		cfgerr++;
 	}
 #endif